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Abstract 


We consider the problem of clock synchronization in a system with uncertain message delays 
and clocks with bounded drift. To analyze this classical problem, we introduce the con- 
cept of synchronization graphs, and show that the tightest achievable synchronization at 
any given execution is characterized by the distances in the synchronization graph for that 
execution. Synchronization graphs are derived from information which is locally available 
for computation at the processors (local time of events and system specification), and can 
therefore be used by distributed algorithms. Using synchronization graphs, we obtain the 
first optimal on-line distributed algorithms for external clock synchronization, where the 
task of all processors is to estimate the reading of the local clock of a distinguished proces- 
sor. The algorithms are optimal for all executions, rather than only for worst cases. The 
algorithm for systems with arbitrarily drifting clocks has high overhead; we prove that this 
phenomenon is unavoidable, namely any optimal general algorithm for external synchro- 
nization has unbounded space complexity. For systems with drift-free clocks (i.e., clocks 
that run at the rate of real time), we present a particularly simple and efficient algorithm. 
We also present results for internal synchronization, where the task of the processors in the 
system is to generate a synchronized “tick.” Our approach is robust in the sense it encom- 
passes various system models, such as point-to-point or broadcast channels, communication 
links that may lose, duplicate and re-order messages, and crashing processors. In addition, 
synchronization graphs can be used to detect corrupted information. 
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Chapter 1 


Introduction 


1.1 Background 


Clock synchronization is one of the most fundamental problems of distributed computing. 
Roughly speaking, the goal of clock synchronization is to ensure that physically dispersed 
processors will acquire a common notion of time, using local physical clocks (whose rates 
may vary), and message exchange over a communication network (with uncertain trans- 
mission times). The discrepancy between clock readings is called the tightness of synchro- 
nization. There are numerous applications for synchronized clocks in computer networks. 
For example, in database systems, version management and concurrency control usually 
depend on the ability to consistently assign timestamps to objects. Many distributed ap- 
plications use timeouts (e.g., communication protocols, resource allocation protocols), and 
their performance depends to a large extent on the quality of synchronization between re- 
mote processors. From the theoretical perspective, having synchronized clocks enables one 
to use distributed algorithms that proceed in rounds, thus considerably simplifying their 
design and analysis. For an excellent discussion of the importance of clock synchronization, 
see Liskov’s keynote address at the 9th PODC [18]. 

The basic difficulty in clock synchronization is that timing information tends to deteri- 
orate over the temporal and spatial axes. More specifically, when the rate of local clocks 
is not known precisely in advance, the tightness of synchronization loosens as time passes; 
and when a processor is communicating timing information to remote processors, there is 
some inherent cumulative timing uncertainty, unless message transmission times are known 


precisely. Practically, ideal clocks and communication links do not exist. However, there 


m local time = T 


distinguished 
event 


m’ local time = T’ 


Figure 1-1: Processor v send a message m to processor s, s sends a message m’ back to v. 
A distinguished event, marked by a cross, occurs at s after m is received and before m’' is 
sent. 


are always some a priori guarantees about the timed behavior of the system: usually it is 
assumed that local clocks have known lower and upper bounds on their rate of progress with 
respect to real time. We call these bounds drift bounds. In addition, it is assumed that there 
are known lower and upper bounds on the time required to transmit a message. We call 
these bounds message latency bounds. The essence of all clock synchronization problems is 
how to use these bounds to obtain tight synchronization. 

In this thesis we present a theoretical study of clock synchronization problems. Our 


starting point is an elementary variant of the problem, described informally as follows. 


Obtain bounds on the reading of the local clock when some distinguished remote 


event occurs in the execution. 


Example. Consider a system that consists of two processors s and v, connected by a 
bidirectional communication link. Suppose that processor v sends a message m to s when 
the local clock at v shows T; processor s then responds by sending a message m’ to v, 
which is received at v when its local clock shows T’. See the time-space diagram in Figure 
1-1. (A brief explanation of time-space diagrams is given in Appendix A.) Suppose further 
that some distinguished event occurs at processor s after m is received and before m’ is 
sent. Clearly, when m’ is received, processor v can deduce that the distinguished event 
occurs within its local time interval [T,7’]. The difference (T’ — T) is the tightness of 


synchronization. Jf 


To study synchronization problems, we define a system model, and analyze it at an 
abstract graph-theoretic level. Using the results we obtain for graphs, we analyze clock 
synchronization problems that are more practical than the elementary variant above. Specif- 
ically, we give results for two kinds of clock synchronization tasks, motivated by the following 


settings. 


External Synchronization: There exists a distinguished processor called source in the 
system. The task for each other processor is to obtain, at each time, the smallest 


interval [a, 6] such that the current reading of the source clock is in [a, }]. 


Internal Synchronization: Keep all clocks in the system as close to each other as possi- 
ble, running at the rate of their physical hardware clocks, except for isolated points 


where clock values are reset. 


Before we describe our results, we first describe what was known prior to this work. We 
remark that much previous work was done for fault-tolerant clock synchronization, which 


is beyond the scope of this thesis. 


1.2 Previous Work 


Different variants of the clock synchronization problem have been the target of a vast 
amount of research from both practical viewpoint (e.g., [26, 6, 24, 28, 1, 15]) and theoretical 
viewpoint (e.g., [16, 19, 7, 13, 33, 3], surveys [31, 30] and references therein); the exact 
definition of the problem depends both on the intended use of the clocks and on the specific 
underlying system. The large number of variants is justified by the wide spectrum of 
applications. 

One of the popular variants studied theoretically is internal synchronization in the case 
where all clocks in the system are assumed to run exactly at the rate of real time (we call 
such clocks drift-free hereafter). Lundelius and Lynch [19] consider the case in which there 
is a communication link between each pair of processors, and message latency bounds are 
identical for all links in the system. For this case, they present a synchronization algorithm 


‘In this thesis, numbers range over R.U {o0, —co} unless explicitly indicated otherwise. Square brackets 
are used to denote intervals, including the case of infinite intervals. 
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that gives optimal tightness in the worst possible scenario allowable by the system speci- 
fications. Halpern et al. [13] generalized the results of [19] to networks whose underlying 
topology is arbitrary, and whose message latency bounds may be different for each link. 
The main idea in the analysis of [13] is to formulate the problem as a linear program; solv- 
ing this program, they find the worst case scenario, and an algorithm is presented so that 
optimal tightness is guaranteed in this case. In [3], Attiya et al. observe that the algorithm 
of [13] always gives the best worst-case tightness, even if the actual execution happens to 
be more favorable for synchronization than the worst possible. This observation motivates 
them to generalize the results of [13]; specifically, in [3] they present an algorithm which 
gives optimal tightness for each specific execution of their system. 

The focus in all the above papers [19, 13, 3] is on obtaining bounds in a centralized 
off-line fashion. Typically, the algorithms can be viewed as consisting of two stages. In the 
first stage, timing information is gathered at the processors by sending messages over the 
links. Then a second stage begins, where all the information is sent to one processor; that 
processor makes the necessary computation, and distributes the results back to the other 
processors. Only then can each processor adjust its clock. 

Practical work is typically more focused on on-line distributed algorithms. Usually, 
loosely coupled systems use external synchronization algorithms, and tightly coupled sys- 
tems use internal synchronization. One important protocol for external synchronization is 
NTP [25, 26], used over the Internet. Another prominent technique in practice is “proba- 
bilistic clock synchronization” proposed by Cristian [6]. In this approach, the transmission 
time of messages is assumed to adhere to some probability distribution, and the transmis- 
sion times of different messages are assumed to be independent. Under these assumptions, 


some stochastic guarantees can be made by the synchronization protocol. 


1.3. Contents of This Thesis 


Our chief objective in this thesis is to acquire better theoretical understanding of clock 
synchronization. Our first step towards this goal is to define a mathematical model, in 
which we state our system assumptions precisely, and define the performance criterion by 
which we measure the quality of the synchronization algorithm. We then abstract executions 


of systems using a graph theoretic formulation. Using graphs, we state and prove our main 
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characterization of tightness of clock synchronization. From these results, we derive new 
optimal external synchronization algorithms and a new lower bound on the tightness of 
internal synchronization. Moreover, we give evidence that indicates that there is no efficient 
optimal synchronization algorithm that works for arbitrary clock drift bounds and message 
latency bounds. 


In the remainder of this section, we give a more detailed overview of the thesis. 


1.3.1. The Setting 


Based on the model of timed input/output automata of Lynch and Vaandrager [20], we 
define in Chapter 2 a new formal model, called mized automata. This model enables us 
to describe systems with local clocks. Using the formalism of mixed automata, we define 
in Chapter 3 the environment we consider. Intuitively, the main assumptions expressed by 
our definitions are the following. First, each message, when received (if at all), has a known 
latency lower bound which is a finite non-negative real number, and a known latency upper 
bound which is at least the lower latency bound, but it may be infinite. Secondly, each 
local clock has known finite non-negative lower and upper drift bounds. And thirdly, each 
execution that satisfies these bounds is possible. We remark that our assumptions include 
many cases, such as communication links that may lose, re-order, or duplicate messages 
arbitrarily; systems with broadcast channels; and the case of processor and link crashes. 

To facilitate these properties, we assign to the clock synchronization modules a somewhat 
“passive” part in the system. Our formulation is such that clock synchronization algorithms 
do not initiate nor delay message transmission and delivery; rather, in our model, message 
sending is initiated solely by abstract send modules, and the clock synchronization algorithm 
is allowed to pass information only by “piggybacking” on existing message traffic, where 
we assume that piggybacking is done instantaneously. Thus, the role of a synchronization 
algorithm can be viewed as limited to the interpretation of executions of the environment 
as they unfold. (Technically, since our definition of executions contains also the real time 
of occurrence of events, only a local view of the execution, which contains just local times 
of occurrence, is available for computation.) We remark that our model can be viewed as a 
distributed version of the model considered in [3]. 

To evaluate the quality of a synchronization algorithm, we define in Chapter 4 a new 


measure, which may be of independent interest in its own right. Intuitively, our approach is 
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a combination of the execution-specific approach of [3], the competitive analysis approach 
[32, 23], and the causality partial order of Lamport [16]. Loosely speaking, we call a 
clock synchronization algorithm locally K-competitive if the tightness of its output at any 
point at any execution is at most A times the best possible tightness among all correct 
algorithms, given the local view at that point. An algorithm is called optimal if it is locally 


1-competitive. 


1.3.2 A General Theory 


The heart of this thesis is a new analysis of clock synchronization problems. Intuitively, we 
show that even though clock synchronization problems can be formulated as linear programs 
[13], fortunately they have a much simpler structure, namely distances in a certain graph. 
More specifically, in Chapter 5 we introduce a new concept, which we call synchroniza- 
tion graphs. Synchronization graphs are weighted, directed graphs derived from system 
specifications and local views of executions. Since these quantities are locally available for 
processing, synchronization graphs can be computed by distributed algorithms. The main 
result of the theory is a characterization of the achievable tightness of synchronization at 
any execution in terms of distances in the corresponding synchronization graph. An impor- 
tant property of this result is that these distances can be computed on-line in a distributed 
fashion, thereby giving rise to new algorithmic techniques for optimal synchronization. 
Synchronization graphs provide us with a simple and robust concept that deals in a 
uniform manner with both the uncertainty of transmission times and the uncertainty due 
to clock drifts. In Chapter 9 we show how to incorporate additional timing information of 
certain simple types in synchronization graphs. Moreover, we show a simple property of 
synchronization graphs which is equivalent to the consistency of views with system specifi- 


cations. This idea can be used to detect faults. 


1.3.3. Applications 


After proving the general results in Chapter 5, we turn to derive results for specific synchro- 
nization tasks. In Chapter 6 we define and analyze the external synchronization problem. 
In external synchronization, there is a distinguished source processor whose clock is drift- 
free; each other processor in the system is required to provide, at all times, bounds on the 


current reading of the source processor. The difference between the bounds is called the 
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external tightness of the synchronization at that point. In Chapter 6, we prove a lower 
bound on the tightness of synchronization at any point, and present a distributed on-line 
algorithm that meets this bound at all points. This characterization is done for the general 
setting, where clock drift bounds and message latency bounds are arbitrary. The algorithm 
for the general case is inefficient. By contrast, we present an efficient algorithm for optimal 
external synchronization, under the assumption that all clocks in the system are drift-free. 
We compare our approach with the popular technique of round-trip probes, and explain 
why our approach is superior. 

In Chapter 7, we consider the internal clock synchronization problem, where each pro- 
cessor is required to generate a single “tick,” and the internal tightness of synchronization 
in an execution is a bound on the length of real time interval that contains all ticks. Us- 
ing synchronization graphs, we obtain a lower bound on the achievable internal tightness 
of synchronization. Our lower bound generalizes known lower bounds for drift-free clocks 
[19, 13, 3] to the case of drifting clocks. Moreover, our derivation is relatively simple and 
intuitive. 

In Chapter 8, we show a somewhat surprising result regarding the space complexity of 
optimal synchronization algorithms. We define a certain computational model, in which 
output values are restricted to be expressed as linear combination of the inputs with integer 
coefficients (all known algorithms can be expressed this way). In that model, we show that 
for any external synchronization algorithm there are scenarios that require unbounded space 
complexity in order to produce optimal output. 

The latter result provides strong evidence to the effect that no single algorithm can be 
efficient, general and optimal at the same time. Practical algorithms must be efficient; the 


new algorithms we suggest are optimal. 


1.4 Significance of the Results 


We believe that this thesis contributes to the understanding of clock synchronization in a 
number of ways. 

First, it suggests a new way of looking at the problem, and presents a constructive 
characterization of achievable tightness. Even though our results indicate that there is no 


“ultimate solution” for clock synchronization, i.e., an algorithm that is general, efficient 
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and optimal, we believe that using the techniques presented in this thesis, better practical 
algorithms can be developed, by compromising generality or optimality. 

We also believe that the discovery of synchronization graphs is an important contribution 
to the research of timing-based systems. In some sense, synchronization graphs can be 
viewed as the extension of Lamport’s graphs [16], used to describe executions of completely 
asynchronous systems, to the case where processors have clocks. 

In addition, we think that our approach of local competitiveness can be used for problems 
in different settings, as it captures an intuitive notion of flexible algorithms that guarantee 


output close to the best possible for each possible scenario. 


1.5 Critique of the Results 


Informally, the usefulness of synchronization graphs relies on a few strong assumptions. 
(1) The system specification is such that if an event may occur at either of two points, 


then this event may occur at any point between them. 
(2) Processors and communication links follow the system specification. 


(3) All executions that satisfy the system specifications are possible. 

These assumptions are restrictive. Assumption (1), for example, rules out the case that 
local clocks run at a fixed but unknown rate. It also rules out systems where message 
transmission time can be a point in either of two disjoint intervals (this may be the case, for 
example, when using links that divide the communication into discrete frames). Assump- 
tion (2) seems even more problematic: even if the specification allows for some limited kind 
of faults, it is hardly ever the case that one can guarantee operation of distributed systems 
without unpredictable faults. Clocks are particularly volatile, as the many papers about 
fault-tolerant clock synchronization can testify. Assumption (3) seems unrealistic as well: 
intuitively, it means that all possible timing information is given in the system specifica- 
tion. In many cases, however, additional information can be obtained, e.g., from a human 
operator. 

Let us defend our thesis. The first assumption is absolutely essential for our analysis; 
the whole theory breaks down if the timing specification is such that there are events that 
may not occur between points in which they are allowed to occur. We claim, however, 


that our formulation is appropriate in many cases. For example, when the uncertainty of 
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message transmission times is relatively high, the effect of discrete communication frames 
is negligible. Also, while conventional quartz clocks (such as the ones used in most CPUs) 
usually maintain a fixed rate, this rate may change abruptly, thus making the rate look as 
if it takes values from a continuous range. Hence we argue that assumption (1) seems to be 
a reasonable abstraction. 

Consider assumption (2). For systems with faults, our analysis provides a partial solution 
in the form of fault detection. Even though we do not know how to use synchronization 
eraphs directly to correct errors, we know how to use synchronization graphs to detect 
them. Moreover, when computing distances over synchronization graphs (as our techniques 
suggest), the detection comes “for free.” It is also conceivable that synchronization graphs 
can be used in conjunction with some fault tolerance scheme that uses redundancy to 
eliminate erroneous information. 

Assumption (3) is required only for the optimality claims, that is, we use it to obtain 
lower bounds on the achievable tightness of synchronization. Our algorithms work just as 
fine if this assumption is removed: it might be the case, however, that additional information 
can be used to improve performance. Some cases of additional timing information can be 
modeled by clock synchronization graphs: we give a few simple examples in Chapter 9. 

Finally, let us address the validity of our assumption that clock synchronization algo- 
rithms are “passive,” i.e., that they do not initiate message sending by themselves. We 
argue that this assumption is not really restrictive; it is used as a convenient theoretical 
abstraction that enables us to compare different algorithms. Using this model, we view 
clock synchronization algorithms as if their role is merely to interpret the execution; if an 
algorithm is optimal in our sense, then it gives the tightest results for any execution, and 


can be used under any pattern of message traffic. 


1.6 Structure of this Thesis 


The organization of this thesis is as follows. Each chapter begins with a short description of 
its contents, and ends with an intuitive summary of the main ideas. In Chapter 2 we define 
the mixed automaton model, which provides us with the formalism we use in describing 
the systems considered in this thesis. In Chapter 3 we describe the architecture of the 


clock synchronization systems studied in this thesis, and define the basic notions of views 
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and patterns. In Chapter 4 we define the synchronization tasks we consider, and the way 
we evaluate their quality, namely the concepts local competitiveness and optimality for 
synchronization algorithms. In Chapter 5 we define the concept of synchronization graphs, 
and present our main results. In Chapter 6 we consider the external clock synchronization 
problem. We give matching bounds on the tightness for general systems, and an efficient 
optimal algorithm for systems with drift-free clocks. In Chapter 7 we give a lower bound on 
the achievable tightness for internal synchronization. In Chapter 8 we prove a space lower 
bound for optimal external synchronization algorithms for general systems. In Chapter 9 we 
present a few extensions to the concept of synchronization graphs. We conclude in Chapter 
10 with a few critical remarks about the results, subsequent work, and open problems. 

In Appendix A, we describe the standard method of time-space diagrams. An index is 


given at the end of the thesis, to aid the reader in tracing definitions of concepts. 
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Chapter 2 


The Mixed Automaton Model 


In this chapter we define the mixed automaton model, which is the underlying computational 
model we consider in this work. Our goal is to formalize the notion of a distributed system 
with clocks. The development in this chapter is elementary: some readers may wish to skip 
directly to the more specific definitions of clock synchronization systems in Chapter 3, and 
refer to the general definitions of this chapter when appropriate. 

The mixed automaton model is based on the timed I/O automata model of Lynch and 
Vaandrager [22, 20], abbreviated TIOA henceforth. An important feature of the model is 
that simple modules, under certain compatibility conditions, can be combined to obtain a 
more complex module.t The main idea in our model, as described in this chapter, is that 
states of the system contain a component called now, which describes the (formal) real time 
in which the state exists, and components called local_time, which describe the readings of 
the local clocks in that state. (In TIOA, there are no special components for local times.) 
Time passage is formalized using a special action denoted vy. The now and the local_time 
components are changed only by the time-passage action, which means that the local times 
represent local clocks that cannot be reset. 

We open this chapter in Section 2.1 with the definition of mixed automata, and also 
define a few particular properties of mixed automata that we shall use later. In Section 
2.2 we define the notions used to describe how an automaton “runs,” namely executions 
and timed traces. We conclude this chapter by describing composition of mixed automata, 


which tells us how distinct submodules communicate within a larger module. 


"We shall use the terms “automaton” and “module” interchangeably throughout this thesis. 
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Figure 2-1: Illustration of Definition 2.1. The N function maps elements of S to real 
numbers. The trajectory w is an inverse of N, and maps the “<” relation to a “+” relation. 


2.1 Definition of Mixed Automata 


Our first step is to give a definition of trajectories (adapted from [20]), which have turned 
out to be a key concept in the formal analysis of real-time systems (see, e.g., [10, 21]). 
Intuitively, a trajectory for a given interval will be used to describe an “evolution” of a non- 
deterministic system when only time passes through that interval of time. The definition 
below is stated in general terms; the specialization for our purposes is done later. Figure 


2-1 gives an illustration of the following definition. 


Definition 2.1 Let S be a set, let N be a function N: 5 4 R, and let “+” be a binary 
relation over S.° Given a (possibly infinite) interval I of R, a trajectory for 1,5,N and > 
is a functionw:It+ S$, such that N(w(t)) =¢t for allt € I, and such that for all t,,t, € 1 


with t, < to, we have w(t) + w(te). 


The interpretation of the abstract notion of trajectory becomes clearer when we define 
automata. Intuitively, a mixed automaton is a formal representation of a non-deterministic 
system in a framework of real time, which is represented by non-negative real numbers. In 
this context, S in Def. 2.1 is used to represent the set of system states; each state s contains 
the single time point of its existence, which given by a now(s) mapping (corresponding to N 
in Def. 2.1); a trajectory of an interval is the way the states change while time values range 
over that interval. Assuming that — is a relation (rather than a function) corresponds to 


the non-deterministic nature of the system. 


? Throughout this thesis we denote the set of real numbers by R, and the non-negative reals by R*. 
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We now proceed with the definition of mixed automata. In addition to the now at- 
tribute of states which represents real time (as in the TIOA model [20]), a state of a mixed 
automaton may also have local times attributes, for each local clock. The locations of clocks 


are represented by special objects called sites. Formally, we have the following definition. 


Definition 2.2 (Mixed I/O Automata) A mixed |/O automaton A is defined by the fol- 


lowing components. 
e A finite, possibly empty set of sites sites(A). 


e A set of states states(A) with the following mappings: 


now : states(A)H Rt 


T : sites(A) x states(A) — Rites 


The value now(s) is called the real time of s. For a site v © sites(A), we use the 


notation local_time,(s) = T(v,s). T(s) is used as a function from sites to R. 
e A nonempty set of start states start(A) C states(A). 


e A set acts( A) of actions. One of the actions is a special time-passage action, denoted 
v; the other actions are called discrete. The actions are partitioned into external and 
internal actions, where time passage is considered to be external. The visible actions 
are the discrete external actions. Visible actions are partitioned into input and output 


actions. 


e A transition relation trans(A) C states(A) x acts(A) x states(A). We also use the 
shorthand s,s! for (s,7,8') € trans(A); when the context is clear, we sometimes 
write s>s'. For an action 7 and a state s, if there exists a state s' such that ss’, 


then we say that m is enabled in s. 


We require that A satisfy the following axioms. 
C1 For all s € start(A), now(s) = 0. 


C2 For all s4s' with r 4 v, now(s) = now(s') and T(s) = T(s‘). 
C3 For all s 4 s', now(s’) > now(s). 


C4 Ifs—s' and s' 4 s", thens 3 8". 
, 
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C5 For all s > s', there exists a trajectory w for [now(s), now(s')], the state set, 
the now mapping and the time passage subrelation {(s,v,s') € trans(A)}, such that 


w(now(s)) = s and w(now(s')) = 8’. 


When we talk about more than a single automaton, we use subscripts to denote the context. 
For example, local_time,,, denotes the local time function of automaton A at site v. 
We remark that timed I/O automata, as defined in [20], are a special case of mixed 


automata, where the site set is empty.® 


Example: the SENDER automaton. Let us illustrate the concept of a mixed automaton 
with a toy example, which we shall return to later. We define an automaton, called SENDER, 
that has a single input action called Receive_Message, and a single output action called 
Send_Message. The SENDER automaton is equipped with a local clock that runs at the rate 
of real time; the behavior of SENDER is very simple: it may output Send_Message only if 
there was at least one Recetve_Message input since the previous Send_Message output. The 


following is a formal description of SENDER. 
e There is a single site, which we choose to call v (any other name can do as well). 


e The state set is (7. pend) : t € Rt,T © R, pend € {TRUE, FALSE} \ For a state 
s = (t,T, pend), we have now(s) = t, T(s) = (T), and local_time,(s) = T. In words, 
the real time of (t, 7’, pend) is t, and the local time of (¢,7', pend) at site v is 7. The 
Boolean flag pend will be used to indicate whether there is a “pending output” (see 


below). 


e The set of start states is {(0,7, TRUE): 7 € R}, ie., all states with real time 0 and 
pend = TRUE. This definition means that the initial local time at v is arbitrary, and 


that Send_Message may be the first action of SENDER. 


e The set of actions is {v, Receive_Message, Send_Message}, where v is the time passage 
action, Receive_Message is a discrete input action, and Send_Message is a discrete 
output action. Hence both Receive_Message and Send_Message are external and 


visible. 


“The converse is also true: given a mixed automaton, one can model it as a particular kind of TIOA. 
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Sites: a single site v 


State: 


now: a non-negative real number, initially 0 
local_time: a real number, initially arbitrary 
pend: a Boolean flag, initially TRUE 


Actions: 

Receive Message (input) 
Pre: none 
Eff: pend — TRUE 

Send_Message (output) 
Pre: pend = TRUE 
Eff: pend — FALSE 

V: (time passage) 
Pre: b>0 


Eff: now — now+6 
local_time — local_time + 6 


Figure 2-2: SENDER: an example of a mixed automaton. 


e The transition relation is as follows. 


First, for all t > 0,7 € R, pend € {rrup, FALSE} and b > 0, we have (t, 7, pend) > 
(¢+ 6,71 +b, pend). This means that time passage is always enabled, and that the 


local time is increased exactly by the amount of real time that passes. 


Secondly, for pend € {TRUE, FALSE}, ((t, 7, pend), Receive_Message, (t, 71, TRUE)) is a 
transition. This means that the Receive_Message action is always enabled, and its 


effect is to set pend to TRUE. 


Finally, we have that ((t, 7, TRUE), Send_Message, (t, 7’, FALSE)) is a transition, which 
means that the Send_Message action is enabled exactly at all states where pend = 


TRUE, and its effect is to set pend = FALSE. 


Formal description of automata will usually be done in this thesis using the “precondition- 
effect” notation given in Figure 2-2. This more structured representation will be sufficient 
to describe the algorithms we study. When the “Pre” clause is omitted from the description 


of a transition, the interpretation is that the action is always enabled. J 
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2.1.1 Projections, Equivalent Automata 


In this section we define the technical notions of projection and equivalent automata. 
Intuitively, a projection of an automaton on one of its sites is the restriction of the 


automaton to describe only the clock of that site. 


Definition 2.3 The projection of a mixed automaton A on a site v € sites(A), or the clock 


of A at v, denoted by A|,, is the mixed automaton defined as follows. 
e sites(Al,) = {v}. 
e acts(Al,) = {v}. 


e For a state s € states(A), let s|, be the pair (now,4(s),Ta(v, s)). With this notation, 


we have 


— states(Al,) = {s|, : 8 € states(A)}, and we set 


now 4\,(s|y) = now,(s) 


Ta, (%, Sly) = Ta(v, s) 


— start(A],) = {s|, : 5 € start(A)}. 


— trans(Al,) = {(5|v, 1, 5'u) + (s,¥, 8") © trans( A)}. 
We have the following lemma. 
Lemma 2.1 For any mized automaton A, for all v € sites(A),A|, is a mixed automaton. 


Proof: By inspection of the axioms. J 
We conclude this section with a definition of equivalent automata. Intuitively, two 
automata are equivalent if they are the same, up to renaming and multiplicity of equivalent 


states. Formally, we have the following definition. 


Definition 2.4 A mized automaton B is said to extend a mized automaton A if sites( A) C 
sites(B), acts(A) C acts(B), and there exists a mapping f : states(B) — states(A) such 
that the following conditions hold for all s € states( B). 


e nowa(f(s)) = nowgz(s). 
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e For all v € sites( A), local_time 4 ,(f(s)) = local_timeg ,(s). 
e f(s) € start(A) iff s € start(B). 
e For all x € acts(A), we have (f(s), 7, f(s’)) € trans(A) iff (s, 7,8") € trans(B). 


A and B are said to be equivalent, denoted A= B, if A extends B and B extends A. 


2.1.2 Clock Types 


In this work, we shall study automata where local clocks have bounded drifts, as defined 


below. 


Definition 2.5 Let v be a site of a given mixed automaton A. If there exist0 < 9 <0 < x 


such that for all all s > s', 


o(now(s') — now(s)) <_ local_time,(s‘) — local_time,(s) < D(now(s') — now(s)) , 


then Al, is called a (9, @)-clock. A clock Al, is called a bounded-drift clock if it is a (9,0)- 


clock for some 0 < 9 <@< om. A (1,1)-clock is also said to be drift-free. 


Alternatively, one can think of a clock as a collection of real-valued “clock functions” 
{P(t)}, where ¢ denotes real time. In this representation, a (g, @)-clock consists of functions 
T(t) such that e(t—t) < T(t)—T("’) < O(t— 1’) for all t > ¢’ > 0 (which also means that all 
clock functions of a bounded drift clock are continuous), and a drift-free clock is a function 
of the type T(t) = t+ for some constant a. We formalize this interpretation in Definition 


2.12, after we define executions. 


2.1.3. Real Time Blindness 


In our model, real time is a part of the state of the system. In many systems, access to real 
time is restricted to occur only via special physical devices, such as clocks. To model this 
property, we introduce the notion of real-time blindness in the following definition. The 


definition is specialized for bounded-drift clocks. 


Definition 2.6 Let A be a mixed automaton such that each v € sites(A) is a (@,, 0, )-clock. 


A is said to be real-time blind for (2,0, ) if there exists an equivalent automaton A’ = A, with 
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a set B(A’) and a mapping basic : states(A') + B(A’‘) such that the following conditions 


are satisfied. 


e For all b € B(A‘), all mappings T : sites(A') — R and allt € R*, there exists s € 
states( A’) such that basic(s) = b, now(s) = t and T(v,s) = T(v) for all v € sites(A’). 


e For all 8; — 85, basic(s,) = basie(s.). 
e For all 81, 89,81, 55 € states(A’): if (51,7, 52) € trans( A’) fora # v, and 
T(s:) = T(s\) 
basic(s,) =  basic(s,) 
basic(s,) =  basic( sy) 
then (8,7, 85) € trans( A’). 


e For all 51, 82, 8,85 € states( A’): suppose (s1,V, 82) € trans( A’), and let A = now(s')— 


now(s). If for all v © sites( A’) we have 


basic(s,) = basic(s:) 

T(s{) = T(s:) 

Tis) = Ts) 
T(v.s5)-Tlv,s,) € |o,-A,2,-Al 


then (s),v, 85) € trans(A’). 


Intuitively, an automaton is real-time blind if each of its states can be decomposed into 
three components, called the real time, the local times, and the basic component. We 
require that this decomposition is such that time passage action has no effect on the basic 
component, and that the enabledness of actions is independent of the real time component. 
The time passage action is special, since the clock drift bounds imply that the local times 
component and the real time component are related. In this case we therefore require that 
all amounts of real time passage allowed by the drift bounds are possible by a real-time 


blind automaton. 
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Example. It is easy to verify that SENDER is real time blind for (1, 1): the decomposition 
of its states is readily given. Specifically, a state (¢,7', pend) has real time component ¢, 
local time component 7’, and basic component pend. Let us verify the properties of this 


decomposition: 
e The state set is Rt x R x {TRUE, FALSE}. 
e The value of pend is never changed by time passage. 
e Changes in the value of pend depend only its value and the type of action taken. 


e Time passage does not depend on the value of the now component neither in being 
enabled nor in the amount of time that passes, except for that the real time may be 


increased exactly by the amount local time is increased by. 


2.1.4 Quiescent States 


b) 


The following definition formalizes the notion of “idle state,” in which nothing happens, 


and nothing will happen, unless some input occurs. 


Definition 2.7 A state s € states(A) for some mixed automaton A is called quiet if the 
only actions enabled in s are input actions and time-passage actions. A quiet state sq is 
said to be quiescent if the following conditions hold. 


(1) For allt > 0 there exists a transition s) = s such that now(s') = now(s) +t. 
(2) For all states s such that sy > s, s is quiet. 
Intuitively, a state is quiet if the automaton is not poised at doing something at present, 


and a state is quiescent if the automaton is not intending to do something at the future. 


An important consequence of quiescence will be proved in Lemma 3.1, in the next chapter. 


Example. Examining SENDER once again, we see that all the states of the form (¢, 7’, FALSE) 
are quiescent: only input and time-passage actions are enabled in them, and only other 


states of the same form are reachable from them by time passage. Jj 
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2.2 Executions and Timed Traces 


In this section we formalize the concept of system execution and its derivative notions. We 
remark that the definition of executions of mixed automata we give here is a straightforward 
extension of the definition of timed executions in [20]. We shall use the following notations 


(cf. Definition 2.1 and Figure 2-1). 


Notation 2.8 Let I be a (possibly infinite) interval of Rt, and let A be a mixed automaton. 
A trajectory on I of A is a trajectory for I, states(A), the now mapping, and the time- 
passage relation {(s,v, 8’) € trans(A)}. Let w be a trajectory on I of A. Denote f_now(w) = 
inf(1), and l_now(w) = sup(1). If I is left-closed, let f_state(w) denote w(f_now(w)), and if 


I is right-closed, let l_state(w) denote w(l_now(w)). 
We start with the definition of execution fragments. 


Definition 2.9 Let A be a mixed automaton. An execution fragment of A is an alternating 
(finite or infinite) sequence (woT1W 1 T2w2...) such that 


(1) Each w; ts a trajectory, and each x; is a discrete action. 
2) If the sequence is finite, then it ends with a trajectory. 
q ’ a] Y 


(3) If w; is not the last trajectory in the sequence, then its domain is a closed interval. 


If there is a last trajectory, then its domain is left-closed. 


(4) If w; is not the last trajectory, then l_state(w; ) seas fustate(w;41). 


The duration of a finite execution fragment (wo71w1T2W2...Wy) is the (possibly infinite) in- 


terval [f_now(wo), l-now(wy )|. The duration of an infinite execution fragment (Wo71W1ToW2...) 


is the interval [f_now(wo), sup, (_now(w,)]. 


Definition 2.10 Anexecution of a mized automaton A is an execution fragment (woTW1 TW... 


of A such that f_state(wo) € start( A). 


Call an execution admissible if its duration is infinite. In this work we consider only 
feasible automata, defined by the condition that each finite execution of a feasible automaton 
can be extended to an admissible execution. 

Given an execution fragment (wo7,w,...), we define for each event 7; its times of occur- 


rence, T(m;) = T(l_state(w;_,)) (thus T(7;) is a mapping that assigns to each site a local 
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time). Sometimes actions will be associated with a single site. If a step 7 is associated with 
a site v, we refer to the local time of occurrence of 7, defined by local_time(r) = T(x)(v). 
The real time of occurrence is defined to be now(m;) = now(l_state(w;_1)). 


Next, we define the notion of timed traces. 


Definition 2.11 Given a finite execution fragment e = (woT1W,...wWy), the timed trace 
of e is a triple ((t,,T,),a,(t;,T;)), where the start time is T, = T(f_state(wo)) and t, = 
now(f_state(wo)); the finish time is T; = T(l_state(wy)) and t; = now(l_state(wy));* and 
a is a sequence of triples (1;,t;,T;), where 7,7... is the sequence of all visible events 
in the execution, and for each i, t; is the real time of occurrence of 7;, and T; is the 
times of occurrence of x;. For an infinite execution fragment, finish time is given by t; = 


sup,,, ,(now(w,(t))), and T;(v) = sup,,, ,(local_time,(w;(t))) for each site v. 


We close this section with a definition of the natural concept of clock function. 


Definition 2.12 (Clock Functions) Let e = (wom...) be an execution of an automaton 
A, and let v € sites(A). The clock function of v in e is a mapping local_time, : Rt HR 


such that for allt > 0, if t € [f-now(u;), l-now(u;)], then local_time,(t) = T(w;(t), v). 


Recall that the notation local_time is also defined as a function from states to the reals; the 
interpretation being used should be clear from the context. 
Finally, given an automaton A and a site v € sites( A), we define the set of clock functions 


of v to consists of all clock functions of the projected automaton A\,. 


2.3. Composition of Mixed Automata 


We now proceed to define the composition of mixed automata. First, we define composition 


of states. 


Definition 2.13 Let A and B be mixed automata. Two states s4 € states(A) and sp € 
states(B) are compatible if now(s4) = now(sg) and local_time,(s4) = local_time,(sg) for 
all v € sites( A) sites(B). The composition of two compatible states s4 and sg, is the pair 


(s4,5p), which has the following attributes. 


“Again, note that T, and Ty are mappings that assign a local time to each site. 
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e now(s4, 5p) = now(sa). 


e For each site v € sites(A)U sites(B), 


local_time,(54), if v € sites(A) , 


T(v, (54, 8p)) = local_time,(s4, 5p) = 
local_time,(sp), if v € sites(B) . 


For a composed state (s4,5p), we denote (54,5p)|4 = Sa, and (s4,5p)|p = Sp. 


Note that by the compatibility condition, local_time,(s4 xX sp) is well defined for v € 
sites( A) sites(.B). 
We now define a necessary condition for composing mixed automata. We use the notion 


of projection here (cf. Definition 2.3). 


Definition 2.14 Let A, B be two mixed I/O automata. A and B are said to be compatible 
if their output actions are disjoint, the set of internal actions of A is disjoint from the set 
of all actions of B, and the set of internal actions of B is disjoint from the set of all actions 


of A. In addition, we require that for all v © sites( A) sites(B), we have that Al, = Bly. 
We are now ready to define composition of automata. 


Definition 2.15 (Mixed Automata Composition) Let A and B be two compatible mixed 
I/O automata. The composition A x B of A and B is a mixed I/O automaton defined as 


follows. 
e The sites of A x B are sites(A x B) = sites(A) U sites( B). 


e The states of A x B is the set of all compatible pairs of states from states(A) and 
states( B). 


e The start set of A x B is the set obtained by composing all compatible pairs of states 


from start(A) and start(B). 


e The set of actions of A x B is the union of acts(A) and acts(B). A discrete action is 
external in A x B exactly if it is external at either A or B, and likewise for internal 
actions of Ax B. A visible action of A x B is an output action if tt is an output action 


of exactly one of either A or B, and it is input otherwise. 
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e For any action 7 € acts(A x B) and states s,s' € states(A x B), we have (s,7,8') € 


trans(A x B) iff both the following hold. 
(1) If € acts(A) then (s|4,7,5'|4) € trans( A), otherwise s|4 = s'|,. 


(2) Ifm € acts(B) then (s|p,7,8'|g) € trans( B), otherwise s|g = s‘|p. 


Composition defines the way two automata interact: this is done by shared actions. The 
compatibility condition prohibits shared output actions, or interfering with internal actions 
of each other, and requires that shared portions of the state have the same underlying 
structure. 


Below we state the basic property of composition. 


Lemma 2.2 Jf A and B are compatible mixed I/O automata, then A x B is a mixed I/O 


automaton. 


Proof: Straightforward. J 

Notice that we can compose any finite number of compatible automata, by applying the 
binary composition operator defined above iteratively. The set of executions of the resulting 
automaton is essentially the same (up to a natural isomorphism), regardless of the order of 
composition. 

We now turn to look at executions of composed automata. The following two lemmas 
establish connections between executions of a composed automaton and the execution of 
its constituent automata. First, for an execution e of a composed automaton A x B, let 
e|4 denote the sequence obtained from e by mapping each state s of e into s|,4, omitting all 
actions of B from e, and for each action 7; of B in e, we merge the resulting trajectories w; 
and w;4,. Analogously we define e|g. The sequences e|, and e|g are called the projection 
of e to A and B, respectively. We have the following simple property for projection of 


execution of a composed automaton. 


Lemma 2.3 Let e be an execution of a composed automaton Ax B. Then el, and elp are 


executions of A and B, respectively. 


Proof: Immediate from the definitions. ff 
We now prove a converse for Lemma 2.3. To be able to state it, we have to make 


a few technical definitions. Fix a mixed automaton A. A times form for a set of sites 
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V C sites(A) is a mapping F : V + R. A timed sequence for A is a sequence ¢ = 
(71, now(™), Fx,), (7.2, now(t), F,,), where each 7; is a visible action of A, now(z;) is a 
non-negative number, and F’,, is a times form. We require that the sequence (now(7;));>1 is 
non-decreasing. A form for A is a triple ((t,, F;), 0, (t;, F;)), where o is a timed sequence of 
A; t, and t; are non-negative real numbers called the start and finish real time, respectively; 
and F, and F; are times forms, called the start and finish times forms, respectively. Notice 
that for a given automaton, every timed trace is a form; the converse, however, is not true 
in general, since a form for A need not be obtained from an execution of A. 

Let F be a times form for a site set V. The projection Fly: of F for V’ C V is obtained 
by restricting the domain of F to sites in V’ only. Given a timed sequence for a composed 
automaton A x B, its projection o|, is defined as the subsequence of actions of A, where 
the times form for each action is projected on sites( A). Finally, the projection of a form for 
a composed automaton is obtained by projecting the start times form, the timed sequence, 
and the finish times form, i.e, ((t,, F's),0, (tsF;))|a = ((., Pelsivescay)s ola, (t;, Fy Jsites(a))) 

In the following lemma we prove that a converse to Lemma 2.3 is also true, i.e., if we 
have executions of A and of B that are compatible in a certain sense, then there exists an 
execution of A x B that, after projections, looks like either of the given executions (of A 


and of B). 


Lemma 2.4 Let A x B be the composition of compatible mized automata A and B, and 
let ((t;,Ts),0,(ts,T;)) be a form for A x B. Suppose that there exist execution fragments 
of A and B whose timed traces are the projection of ((t,, Fs),0,(ts,F;)) on A and on 
B, respectively, and such that for all v € sites(A) A sites(B) we have local_time,,(t) = 
local_time p(t) for allt € [t,,t;]. Then there exists an execution fragment of A x B whose 


timed trace is ((t,, F's), 0, (ts, F;))- 


Proof: Suppose o = (%,%2,...), Gla = (i,,Tin,---), and olp = (4j,,7;,,--.). By the 
assumption, we can “fill in” trajectories w,;, and w;,, such that the following properties hold 
(see Figure 2-3 for an example). 

(1) The alternating sequence e4 = (w;,7;,W;,7i,-.-) is an execution fragment of A, and 


the alternating sequence eg = (w;,7j,;,7j,---) is an execution fragment of B. 


(2) The timed trace of e, is ((t,, F,), 0, (t7, F))|a, and the timed trace of eg is ((t,, F,), 0, (ts, F;)) 


(3) For all sites v € sttes( A) M sites(B) and t € [t,, ty], local_time 4 ,(t) = local_timeg,(t). 
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Figure 2-3: An example for the scenario considered in the proof of Theorem 2.4. While 
a is a form for A x B, e4 and eg are executions of A and B whose timed traces are 
((t,, F,),0,(t;, Fy))|a and ((t,, F,),0,(t;, F;))|e, respectively. 


Using these trajectories, we construct an execution of A x B in a piecewise fashion. For 
ease of notation, let us define r, = now(7,), and ro = t,. We now show how to construct a 
trajectory w; for the time interval [r,,7,41], where k > 0. Let i,j, be the greatest indices 
such that m;, and 7;,, occur before 7,4; in o, or 0 if no such events exist. Define r;, to be 
the now value of 7;,, or t, if ) = 0; define r;,, analogously. (Notice that r;, is the maximum 
of r;, and r;,..) For example, in Figure 2-3 and with k = 3, we have a = ts and jy, = ji. 

We define uw, using w;, and w;,, using state composition, namely w(t) = w;,(t) x wj,, (t). 
We claim that w, is a trajectory on [r;, 17,41] for Ax B. We prove this as follows. First, for all 
t€ [rp Pepi], Now a(w;,(t)) = now,(4;,,(t)) = t, and for all v € sites(A) NM sites(.B) we have 
by assumption that local_time,,(t) = local_timeg,(t). It follows that w;,(t) x w;,,(t)) € 
states(A x B) for all t in the interval. Secondly, let rz, < t) < te < regi. By the 
properties of A and B, respectively, we have that (w;,(t1),v,w;,(t2)) € trans(A), and 
(w;,,(t1),V, ;,,(t2)) € trans(B). Also, for all v € sites(A) NM sites(B) we have by assump- 
tion that local_time, (ti) = local_timeg,(t,) and local_time 4 y(t.) = local_time pg, (tz). It 
therefore follows that (w;,(t1) X ;,,(t1),V, wi, (t2) X w;,, (t2)) € trans(A x B), showing that 
wy is a trajectory for A x B. 

To complete the construction, we need to combine the trajectories by the visible ac- 
tions of o. But this immediately follows since for k > 0, (l_state(w,_1), 7, f-state(w;,)) € 
trans( Ax B) by definitions. We conclude by noting that the execution fragment constructed 


above agrees with the time forms (t,,F,) and (t;,F;). 
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Corollary 2.4.1 Let A, x Ay x ---A, be the composition of compatible mixed automata 
Ai,..-;An, and let ((t,,T',),0,(t;,2;)) be a form for Ay x Ay X+++A,. Suppose that for 
t= 1,...,n there exist execution fragments of A; whose timed traces are the projection of 
((t,, Fs), 0,(t;, F;)) on A;. Suppose further that if v € sites(A;) M sites(A;) for some i,j, 
then we have local_time,,,(t) = local_time,,,(t) for allt € [t,,t;]. Then there exists an 


execution fragment of Ay x Az X +++A, whose timed trace is ((t,, F,),0,(t;, F;)). 


Proof: By applying Theorem 2.4 to A; and Az, and then to A, x Az and Az etc. J 
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Summary 


In this chapter we defined the mixed automaton model, which is the underlying computa- 
tional model we shall consider in the remainder of this work. The mixed automaton model 
is based on the timed I/O automata model of Lynch and Vaandrager [22, 20]. Our model 
formalizes the notion of a system with local clocks. We defined the basic notions of execu- 
tions and their tamed traces, which roughly are the sequences of input and output events in 


executions. We made a few notational conventions, described intuitively as follows. 
e Clock locations are called sites. 
e The real time of occurrence of an event 7 is denoted by now(r). 


e Fora site v and an event 7, local_time,(), is the local time of occurrence of 7, defined 


by the value of the clock of » when a occurs. 


e A bounded-drift clock is a clock whose rate of progress with respect to real time is 
bounded by a drift lower bound and a drift upper bound. A (9,@)-clock is a bounded 
drift clock with drift bounds 0 < @ < @. A (1,1)-clock is called a drift-free clock. 


e An automaton is real-time blind if it cannot access the real time component of the 


state. (It may access the local time component.) 


e A state is quiescent if no locally-controlled action is enabled in it, and no such action 


will become enabled by time passage alone. 


An important feature of the model is that simple modules, under certain compatibility 


conditions, can be combined to obtain a more complex module. 
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Chapter 3 


Clock Synchronization Systems 


In this chapter we use the formalism developed in Chapter 2 to describe the clock syn- 
chronization systems we shall be studying. The main idea in the system definition in this 
chapter (first introduced by Attiya et al. [3]) is to partition the system into two: an active 
part (called environment) that generates messages and delivers them, and a passive part, 
played by the clock synchronization algorithm, whose role is to interpret the resulting com- 
munication patterns. This is in contrast to conventional viewpoints, where synchronization 
algorithms may initiate the sending of a message. Intuitively, in our framework algorithms 
have to work with any possible message traffic generated by the environment. 

This chapter in organized as follows. In Section 3.1 we carefully define the system, by 
describing each of its basic components and the way they interact. This modeling is intended 
to be reasonably close to the way systems are constructed, e.g., it includes definitions of 
processors and communication links. 

In Section 3.2 we shift our standpoint to a more conceptual one: we isolate the role of 
the synchronization algorithm versus an adversarial environment, which controls the local 
clocks, and message send and receive events. We define the key notions of the view and the 
pattern of an execution of a clock synchronization system, which describe the information 
in the execution which is relevant for clock synchronization tasks. These notions are defined 
with respect to an execution of the system. To capture the properties of distributed on-line 
system (discussed in Chapter 4), we also define the notion of local view of an execution, 
which is the part of the view which can be known at a processor at a time point. 


We conclude the system model chapter in Section 3.3, where we prove the basic property 
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Processor 


Send Automaton 


controls message emission 
LocalClock 
(bounded drift) 


Clock Synchronization 
Algorithm (CSA) 


Send_Message(m) 
Recieve_message(m) 


controls synchronization output and 
message contents 


Send_Aug_Message(m,m’) 
Recieve_Aug_message(m,m’) 


Communication Links 
control message delivery 
Figure 3-1: The automata and interfaces at one node of a clock synchronization system. 


Each processor has a local clock; only the send modules initiate message sending. The clock 
synchronization modules must work using piggybacking on existing traffic. 


used in lower-bound arguments in this thesis. Intuitively, this property is that (1) all 
executions that satisfy the timing specification of the system are possible, and (2) the 
output of a synchronization algorithm depends only on the view of the execution, which 


contains local times of events, but no real times. 


3.1 Specifications of System Components 


The system has an underlying graph, which is a directed graph whose nodes represent 
processors and whose edges represent unidirectional communication links. We call the 
nodes of the underlying graph processors, to avoid confusion with nodes of other kinds of 
eraphs defined later. 

Roughly speaking, the system we describe is as follows (see Figure 3-1). Each processor 
has a bounded-drift clock (cf. Definition 2.5). Processors communicate by sending messages 
over the links. Message sends are initiated only by the send modules, in an arbitrary 
fashion (i.e., a send action can be taken at any time). The clock synchronization algorithm 


(abbreviated CSA henceforth) can only piggyback messages on the existing traffic in order 
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to carry out the specific synchronization task at hand. 

In our notation, send modules output Send_Message(m) actions. For each Send_Message(m) 
action at a processor v, the CSA at v must immediately output a Send_Aug_Message(m, m’) 
action, where m’ is a message added by the CSA for communication with other CSAs. The 
network may duplicate, lose, and reorder messages arbitrarily (but not corrupt their con- 
tents). A message is received in a Receive_Aug_Message(m,m’) action, which is taken by 
the network. For each Receive_Aug_Message(m,m’) action, the CSA at the receiving pro- 
cessor “strips” m/ off, and outputs Receive_Message(m) to the send module. The contents 
of the m’ field of messages is the sole way communication between different CSA is realized. 

We assume that when a message is received, lower and upper bounds on its time of 
transit (which may be 0 and ov, respectively) are available to the CSA, as functions of the 
message contents (e.g., its length) and the system specification. The system is defined so 
that all events are local, i.e., each event is an action of exactly one processor. 

In the remainder of this section we define formally specific automata for links and send 


modules, and give certain conditions that any clock synchronization algorithm must meet. 


3.1.1 Send Automaton 


Intuitively, the role of a send automaton A, at processor v is to determine when to send 
messages and to which neighbor. In general, these decisions may be based (perhaps non- 
deterministically) on the local history and/or the local time (e.g., timeouts). In this thesis, 
we concentrate on the highly unstructured automaton, in which messages may be sent at 
any time to any neighbor. 

We assume that send modules have bounded-drift clocks (cf. Def. 2.5). In Figure 3-2 
we give a formal specification of a send module. The definition uses the following notation. 
For each processor v, A’(v) denotes the set of neighbors of v in the underlying graph; % 
denotes a (possibly infinite) message alphabet. In Figure 3-2, as we do in the rest of this 
thesis, we follow the convention that the actions are subscripted by processor names. As 
we shall see, this is possible since every action in the system is associated with exactly one 
processor. We usually omit subscripts when the context is clear. 

Remark. The basic action of a send module is a point-to-point send. Our definition of 
send modules includes all possible behaviors of message sends. In particular, a broadcast 


or a multicast of a message to many processors can be modeled by many send actions taken 
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Sites: a single site v 


State: 


now: a non-negative real number, initially 0 
local_time: a real number, initially arbitrary 


Actions: 

Receive_Message,(m), forme andu€ N(v) (input) 
Pre: none 
Eff: none 

Send_Message,(m), forme andu € N(v) (output) 
Pre: none 
Eff: none 

V: (time passage) 
Pre: b>0 


esrse 
Eff: now — now+6 
local_time — local_time + r-b 


Figure 3-2: Specification of a send module A, at site v with a (@,@)-clock 
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Sites: none 
State 


now: non-negative real number, initially 0 
Q: a multiset of triples (m,,mo,t) EY x NY! x R*, initially 6 


Transitions 
Send_Aug-Message,,(m1, m2), where m, € N, my € (input) 
Eff: choose an arbitrary integer i > 0 
do i times 
put (m,,mo,t) in Q, where t is an arbitrary number in [L(m), H(m,)] 
Receive_Aug_Message,,(m1,m2), where m, € N, m2 € DY! (output) 


Pre: (m1,m2,0) EQ 
Eff: remove a triple (m,,m2,0) from Q 


Vy (time passage) 


Pree O<b<t for all (m,m2,t) EQ 
Eff: Q — {(m1, m2, t — 5) | (m1, m2, t) € Qf 


now — now +6 
Figure 3-3: Specification of a link automaton L,,. 


at the same real time. Notice also that a send automaton may stop sending messages at 


some point, thus behaving like a process that crashed. 


Example. Consider once again the SENDER automaton defined in Figure 2-2. It has the 
same action signature as the general send module of Figure 3-2, but it is slightly more 
structured: the Send_Message action is not always enabled in SENDER. It is therefore clear 
that the set of timed traces of SENDER is a strict subset of the set of timed traces of the 


general send automaton of Figure 3-2. Jj 


3.1.2 Network 


The network is modeled as a collection of links which facilitate communication among 
the processors. Each link from a processor v to a processor u has Send_Aug_Message, input 
action (generated by processor v), and Receive_Aug_Message,, output action, (generated at 
processor u).' We assume very little about the faithfulness of the links: messages may be 


‘The interface between links and processors is sketched in Figure 3-1; a formal description is given in 
Section 3.1.4, after we define the CSA modules in Section 3.1.3. 
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lost, duplicated, or re-ordered. We only require that any message received was indeed sent 
(i.e., no corruption of message contents). We also require that the transmission time of each 
message received is within some (possibly infinite) interval which is known at the receive 
point. 

More precisely, we associate with each directed link (v,w) a link automaton Ly, which 
is responsible for the delivery of messages from v to u. The messages have the form 
(m1,m), where m, € % and mz € %’, for some message alphabeta % and X’. Ly, has 
no sites (i.e., no local clocks), but it satisfies the following timing specification. For any 
Receive_Aug_Message(m,,mz) step of the system we assume the existence of two num- 
bers 0 < L(m,) < H(m,) < ow, such that if the receive event occurs at real time ¢, 
then the (unique) send event of this message must have occurred within the time interval 
[t — H(m,),t — L(m,)]. The number L(m,) is called the latency lower bound of m,, and 
H(m,) is called the latency upper bound of m,. Note that the latency bounds for a message 
(m,,m») may depend only on m. 

A complete description of a L,,-automaton is is given in Figure 3-3. 

Remarks. 

1. In the formal description of Figure 3-3, latency bounds are determined when a message 
is input into the link. This is done for convenience only. In an equivalent formalization, 
the latency bounds are determined only when a message is output. (The latter formulation 
may seem more realistic in the sense that transmission time can be better estimated upon 
delivery than upon sending.) The fact that we shall use in the sequel is that when a 
message is received, one can determine, from the system specifications and the contents of 
the message, what are the latency time bounds for that message. 

2. Note that the specification of the link is very general. In particular, a link may stop 
delivering messages starting from some point, thus behaving like a crashed link. However, 
the link specification guarantees that if a message is received, then it was sent, i.e., there is 


no corruption of messages. 


Example. Let us define a particular kind of links we call perfect asynchronous links. For 
these links, the sequence of messages received is exactly the sequence of messages sent, 
i.e., message are never lost, created, duplicated, nor re-ordered. The timing specification 


of these links, however, is the loosest possible: the latency bounds are 0 (lower bound) 


Al 


Sites: none 
State 


now: non-negative real number, initially 0 
Q: a queue of triples (m1,m2) EU x NU’, initially empty 


Transitions 

Send_Aug_Message,,(m1,m2), where my € N, m2 € D! (input) 
Eff: enqueue (M1,M2) in Q 

Receive_Aug_Message,,(m1,m2), where m, € N, m2 € DY! (output) 


Pre: (m1, M2) is in the head of Q 
Eff: remove head of Q 


Vy (time passage) 


Pre: b>0 
Eff: now — now+6 


Figure 3-4: Specification of a perfect asynchronous link from v to wu. 


and oo (upper bound) for all messages (see formal description in Figure 3-4). A perfect 
asynchronous link is just a special case of the general link of Figure 3-3, in the sense that 
the set of timed traces of a perfect asynchronous link is a subset of the set of timed traces 


of general links. 


3.1.3. Clock Synchronization Algorithm (CSA) 


The CSA uses the readings of the local clock, and the messages sent and received, in order 
to carry out some synchronization task (the definition of particular tasks is deferred to later 
chapters). In this subsection we specify requirements that must be met by any CSA, and 


point out what remains unspecified. 


Interface 


CSA modules use two message alphabets for communication, © and %’, where % is used by 
the send automaton, and © x %’ is used by the links. The CSA module at processor v has 
the action signature described in Figure 3-5. 

For output, CSA modules may have additional variables or actions. The definitions de- 


pend on the specific synchronization task considered, which in turn depend the on definition 
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Input actions 


Send_Message,(m), formeéd andu Ee N(v). 
Receive_Aug_-Message, (m1, m2) for (mi,m2) EN x Y and ue N(v). 


Output actions 


Send_Aug-Message, (m1,mz) for (m1,m2) EU x VY! and ue N(v). 
Receive_Message,(m), forme andu € N(v). 


Figure 3-5: Interface of a CSA at processor v 


of the full clock synchronization systems. We therefore defer them to Section 4.1. 


Non-Interfering Filtering 


The CSA modules use piggybacking on the messages generated by the send modules in 
order to communicate among themselves. A CSA is not allowed to interfere with message 
traffic by delaying messages or by deleting parts of their contents. Informally, we think of 
the CSA as a filter that relays incoming and outgoing messages instantaneously between 
the send and the link modules (see Figure 3-1), while “sticking” a few extra bytes on each 
outgoing message, and “stripping” the corresponding bytes from incoming messages. We 
call this property non-interfering filtering. 

To capture this property formally, we define an auxiliary notion of a generic CS'A in 
Figure 3-6. There, time passage is blocked when there is some message to be processed by 


the CSA. Using the specification of the generic CSA, we define non-interfering filtering. 


Definition 3.1 A CSA is said to have the non-interfering filtering property if its set of timed 


traces is a subset of the set of timed traces of the generic CSA of Figure 3-6. 


Remark. Notice that in an execution of an automaton with the non-interfering fil- 
tering property, there is a natural correspondence between the Receive_Message and the 
Receive_Aug_Message events, and between the Send_Message and the Send_Aug_Message 


events. 
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Sites: a single site v 


State 


now: non-negative real number, initially 0 
local_time,: real number, initially arbitrary 
Q;: queue for symbols of %, initially @ 

Qo: queue for symbols of & x X', initially @ 
active: Boolean flag, initially FALSE 


Actions 


Send_Message, (m) 


Eff: 


enqueue m in Qo 
active — TRUE 


Send_Aug_Message, (m1, m2) 


Pre: 
Eff: 


my, is at the head of Qo 
remove head of Qo 
if Q, = Q; = 0 then active — FALSE 


Receive_Aug_Message, (m1, m2) 


Eff: 


enqueue m, in Q; 
active — TRUE 


. Uu 
Receive_Messagey (m1) 


Pre: 
Eff: 


Eff: 


my, is at the head of Q; 
remove head of Q; 
if Q, = Q; = 0 then active — FALSE 


active = FALSE 

b>0 

esrse@ 

now — now +b 

local_time — local_time + r-b 


(input) 


(output) 


(input) 


(output) 


(time passage) 


Figure 3-6: Code for a generic CSA with (9,@)-clock. 
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Admissible CSAs 


We now define formally the requirements of clock synchronization algorithms. In addition 
to formalizing our requirement that CSAs are allowed to use only piggybacking for commu- 
nications, we impose a couple of additional technical requirements; these rule out algorithms 
which are possible in our formal model, but are usually infeasible in practice. 

First, we rule out the possibility that a CSA senses time passage directly: time passage 
is confined to affect directly only the local clocks, and the CSAs are affected only by changes 
in the local clocks. This requirement is formalized by the concept of real-time blindness (cf. 
Definition 2.6). Recall that the state of a real-time blind automaton can be decomposed to 
real time, local times, and basic components. We remark that unless a CSA is trivial, its 
output is defined in terms of its basic state. 

Secondly, notice that in our model, the initial state provides an artificial synchronization 
point for all processors in the system. Specifically, it is possible that upon initialization, 
all CSA modules will record the initial value of their local time, thereby getting an accu- 
rate snapshot of the local clocks in a perfectly synchronized manner. We rule out such 
algorithms since the synchronous initialization point is only a convenient abstraction, and 
cannot usually be implemented in practice. Formally, we require all start states of a CSA 
automaton to be quiescent (see Definition 2.7 for details). Intuitively, the implication of 
having a quiescent initial state is that the automaton cannot “tell” how much time has 
elapsed since the (abstract) initialization until the first local input action. Technically, no 
locally-controlled actions are enabled at a quiescent state: only time passage and input 


actions are enabled. Formally, we have the following lemma. 


Lemma 3.1 Let e = (wom4...) be an execution fragment of an automaton A. If for some 
i andt we have that the state w;(t) is quiescent, then the action 1;4, (if it exists) is an input 


action. 


Proof: If 7;,, does not exist, there is nothing to prove. Otherwise, we have that either 
w;(t) = L_state(w;) or else w;(t) + L_state(w;). In both cases, by Definition 2.7, it must be 
the case that [_state(w;) is quiet, i.e., only time passage and input actions are enabled in 
l_state(w;). Since e is an execution fragment, 7;4, is enabled in [_state(w;) and a; 4 v, and 


the lemma follows. ff 


A5 


We summarize formally all the requirements a CSA has to satisfy in the following defi- 


nition. 


Definition 3.2 A mized automaton is called an admissible CSA if it has the external in- 
terface specified in Figure 3-5, it has the non-interfering filtering property as specified by 
Definition 3.1, it is real-time blind as specified in Definition 2.6, and all its initial states 


are quiescent as in Definition 2.7. 


Henceforth, we restrict our attention to admissible CSAs only. 


Latitude in CSA Specification 


Definition 3.2 imposes a few severe limitations on CSAs. Let us explain roughly what 
remains to be defined in a particular implementation of a CSA. First, the definition of 
an admissible CSA does not specify how to compute the output. Secondly, by the non- 
interfering filtering property, whenever a Send_Message(m ,) occurs, a CSA must output a 
Send_Aug_Message(m,, mz) action, but mz is not specified. 

The intuition is that CSA modules have to produce some output (which may be either 
some values, or some special action). To this end, CSA modules may have additional basic 
state components, and they can communicate among themselves by using the “mz.” field of 


the messages. 


3.1.4 Clock Synchronization Systems 


Having defined the individual components, we are now in a position to define the concept of 
clock synchronization system. A clock synchronization system is defined by the composition 
of a collection of send automata, link automata, and CSA automata. Formally, we first 
compose pairs of send automata and CSAs that share a site. As mentioned before, we call 
the resulting single-site mixed automaton a processor. We require that for each site there is 
exactly one send module and one CSA (see Figure 3-1). To create the system automaton, 
we compose the processors with the link automata. 

In our definition of systems, each non time-passage action has a naturally associated site 
of occurrence (there are no internal actions of the link automata). We use this association to 
define the local time of occurrence for each step in an execution. E.g., the local time of occur- 


rence of a Send_Message,(m) step in a given execution is local_time, (Send_Message;(m)). 
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A clock synchronization system (excluding the CSAs) is thus specified up to clock drift 
bounds and message latency bounds. We shall refer to these as the real-time specification 
of the system (a formal definition is given later). We assume that the real-time specification 
of the system can be used by the CSA modules. In other words, the code for a CSA can 
refer to clock drift bounds and message latency bounds. We argue that this assumption 
is reasonable. For clocks, one usually has some bounds provided by the manufacturer. 
For messages, some universal latency bounds are always valid: in all physical systems, the 
transmission time of any message is at least 0 and at most oo. In many cases sharper 
bounds are known. As we shall see, even using the universal bounds some non-trivial 
synchronization can be attained by the CSAs. Sharpening the bounds may only result in 


tighter synchronization. 


3.1.5 Example: the Simplified Network Time Protocol (SNTP) 


In this section we give a concrete example of a clock synchronization system. Our example 
is based on NTP (Network Time Protocol), the clock synchronization algorithm used over 
the Internet [26]). We present a simplified version of an NTP system, which we call below 
SNTP. 

In SNTP, we have only two processors, s and v, connected by a bidirectional communi- 
cation link. Both processors have drift-free clocks. The particular synchronization task we 
consider is that v needs to bound, at all times, the current reading of the clock of s. (This 
is a special case of the “external synchronization” task, studied in Chapter 6.) Formally, 
we require that the CSA module at v maintains two output variables, denoted ext_L and 
ext_U, such that at any state x, local_time,(a) € [eat_L, ext_U]. 

The send and the link automata of SNTP are more structured than the general modules 
defined in Section 3.1. Specifically, the system architecture is as follows. 

The send modules in SNTP are such that periodically, v sends a message to s, which 
in turn responds by sending a message back to v.? The link automata in an SNTP system 
(L,, and L,,) are perfect asynchronous links (cf. Figure 3-4), i.e., all messages are delivered 
in order, exactly once with latency bounds 0 (lower bound) and oo (upper bound). 

Before we describe the way the CSAs work in SNTP, notice that since the clocks of v and 


?The SENDER automaton of Figure 2-2 can serve as a specification for the send module of v; the send 
module of s can be specified as a slight variant of SENDER, where the pend flag is initially FALSE. 


AT 


(a) (b) (c) 


q 
q 
we local time = LT, ? 
P q’ 
local time = LT, 
p 
q 
local time = LT; p’ q’ p’ 
_ local time = LT, 
S v s v s 


Figure 3-7: The total transit time of m and m’', TT, is the length of the shaded interval on 
v’s axis in (a). In (b), m is in transit TT time units, and in (c) m’ is in transit TT time 
units, 

s are drift-free, the difference between them is the same at all states of a given execution. 
Therefore, in order to obtain bounds on the local time of s, it is sufficient to have the local 
time at v, and bounds on the difference between the local time of » and of s at any state. 

We now describe the CSA modules of SNTP with the aid of a concrete example (a formal 
description is given in Figures 3-8 and 3-9). Consider the scenario depicted in Figure 3-7(a), 
where v sends a message m to s, and s responds by sending m’ to v. The CSA modules 
work as follows. When m is sent by v (point q), the CSA at v records the local time of the 
send event in the variable D7), i.e., it sets LT, = local_time(q). When m is received by the 
source processor (point p), it records the local time of that event in the variable LT», i-e., 
LT, = local_time(p). When the source sends m’ (point gq’), m’ contains the values of LT, 
and of the local time of the send event, denoted LT’ = local_time(q’). 

When m’ is received at v (point p’), v calculates TT, the total transit time of both 
messages: denoting LT, = local_time(p’), this can easily seen to be TT = (LT, — LT) — 
(LT; — LTs) (see Figure 3-7 (a)). 

Finally, bounds on the difference between w’s clock and s’s clock are obtained by bound- 
ing the local time at the source, at the point at which m’ is received at v. The idea is as 
follows. Let z denote the state of the system immediately after m’ is received. Since m’ is 
in transit at least 0 time units (Figure 3-7 (b)), it must be the case that the local time at 
the source when m/’ is received at v is at least L735, i.e., local_time,(x) > LT3. On the other 


hand, since m’ was in transit at most TT time units (Figure 3-7 (c)), it must also be the 
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case that the local time at the source when m’ is received at v is at most L773 + TT, ie., 
local_time (x) < LT3+ TT. Since the local time of v at x is LT, and since the difference 
in local times between v and s is fixed throughout the execution, we have, for any state y 


in the execution 


local_time,(y) — local_time,(y) =  local_time,(«) — local_time,(x) 


€ [LT3;—- L7T,, LT3+7TT — Ly] , 
and hence, 
local_time ,(y) € [local_time,(y) + LT; — LT, , local_time,(y) + LTs + TT — LT,] . 


When m’ is received the local time at v is D7T,, and hence, at that time v sets ext_D = LT3 
and eat_.U = LT3 +77. Whenever the local time increases at v, the variables ext_L and 
ezt_U are increased by the same amount. 

It is easy to verify that the CSAs in SNTP are admissible in the sense of Def. 3.2. First, 
the CSA modules have the interface of Figure 3-5. Secondly, the CSA modules satisfy the 
non-interfering filtering property: in fact, their code is based on the code of the generic 
CSA in Figure 3-6. Thirdly, the CSA modules are easily seen to be real-time blind: their 
state readily has new and local_time components, and the rest is the basic component. 
(Notice that the output variables are part of the basic component.) It is simple to verify 
that the transitions depend only on the basic and the local time components of the clock 
specification. Finally, the initial state of the CSA modules are quiescent, as the only actions 
enabled at any state reachable from the initial states by time passage are inputs and time 


passage. 


3.2. Environments and Bounds Mapping 


In this section we take the final step in modeling clock synchronization systems. We divide 
the system into two parts, one consists of the CSA modules, and the remainder is called the 
environment. Intuitively, the idea is to view the aggregate of all send and link automata as 
a single environment automaton (see Figure 3-10), where the goal of the CSA modules is to 


try to get the tightest possible logical time for each observable behavior of the environment. 
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Sites: a single site v 
State 


now: non-negative real number, initially 0 
local_time: real number, initially arbitrary 
eat_L: real number, initially —oo 

ext_U: real number, initially oo 

Q;: queue for symbols of %, initially @ 

Qo: queue for symbols of & x R?, initially 0 
active: Boolean flag, initially FALSE 

LT: a real number, initially undefined 


Actions 


Send_Message, (m) 
Eff: enqueue m in Qo 
active — TRUE 
LT, <— local_time 


Send_Aug_Message,, (m1, 0, 0) 
Pre: my, is at the head of Qo 
Eff: remove head of Qo 


if Q, = Q; = 0 then active — FALSE 


Receive_Aug_Message, (m1, (LT2, LT3)) 
Eff: enqueue m, in Q; 
active — TRUE 
LT — local_time 


TT — (LT, — LT,) — (LT3 — LT») 


ert_L — LT3 
ext_.U — LT34+7T 


Receive_Message,, (m1) 
Pre: my, is at the head of Q; 
Eff: remove head of Q; 


if Q, = Q; = 0 then active — FALSE 


Pre: active = FALSE 
b>0 
Eff: now — now +6 
local_time — local_time + 6 
ext_L — ext_L +6 
ext_U — ext. U +6 


(input) 


(output) 


(input) 


(output) 


(time passage) 


Figure 3-8: Code of the CS'A module in SNTP for processor v (single round-trip). 
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Sites: the source site s 


State 


now: non-negative real number, initially 0 


local_time: real number, initially arbitrary 
Q;: queue for symbols of %, initially @ 

o: queue for symbols of % x R?, initially 0 
active: Boolean flag, initially FALSE 
LT: a real number, initially undefined 


Actions 


Receive_Aug_Message,(m1,0, 0) 


Eff: 


enqueue m, in Q; 
active — TRUE 
LTs — local_time 


Recetve_Message, (m1) 


Pre: 
Eff: 


my, is at the head of Q; 
remove head of Q; 
if Q, = Q; = 0 then active — FALSE 


Send_Message,(m) 


Eff: 


enqueue m in Qo 
active — TRUE 


Send_Aug_Message, (m1, LT2, LT3) 


Pre: 


Eff: 


Pre: 


Eff: 


my, is at the head of Qo 

LT3 = local_time 

remove head of Qo 

if Q, = Q; = @ then active — FALSE 


active = FALSE 

b>0 

now — now +6 

local_time — local_time + 6 


Figure 3-9: Code of the CSA module in SNTP for processor s. 
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(input) 


(output) 


(input) 


(output) 


(time passage) 


Clock Synchronization Clock Synchronization Clock Synchronization 


Algorithm Algorithm Algorithm 


ENVIRONMENT 


Figure 3-10: The conceptual arrangement of the automata at a clock synchronization system 
for the local competitiveness model. 


In Section 3.2.1 we isolate the relevant information in executions of environments in the 
notions of pattern and views. A pattern contains all the events with their real and local time 
of occurrence, while a view does not contain the real time of occurrence. In Section 3.2.2 we 
define the concept of local view at a point in the execution, which is the portion of the view 
that can be known at that point. In Section 3.2.3 we formalize the real-time specification 
of a system in the definition of bounds mapping. This definition allows us to treat message 
latency bounds and clock drift bounds in a uniform way. The bounds mapping derived from 


the real-time specification of the system is called the standard bounds mapping. 


3.2.1 Environments, Patterns, Views 


We start with a formal definition of the notion of environment. Recall that the definition of a 
send automaton includes the definition of the clock at its site. The environment automaton 
defined below, therefore, controls the local clocks, message generation, and message delivery 


in a clock synchronization system. 


Definition 3.3 (Environments) Given a clock synchronization system, the environment 


is the mixed automaton defined by the composition of all send and link automata. 


Our main interest is in executions of environments. The notion of execution contains 
a great deal of information: for example, at any given time, the state of a link describes 
precisely, how many copies of each message are in transit and when will they be delivered. 
For synchronization purposes, however, it seems sufficient to match receive events with 
send events, ignoring the interim. The concepts of patterns and views defined below get 
rid of information in executions which is irrelevant for synchronization. Intuitively, a view 
contains a set of points (which may be actions or just “placeholders” called null points), 


with a graph structure which describes their order of occurrence, and a local time attribute 
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for each point; a pattern contains also a real-time attribute for each point. The graph 
structure is essentially the one described by Lamport [16]. Let us recall the following 


standard graph-theoretic definitions. 


Definition 3.4 Let G =(V, FE) be a directed graph. A sequence po, pi ..., Pp is a path from 
po to py inG ifp; EV fori =0,1,...,k, and (p_1,p;) € F fort = 1,2,...,k. A path from 
po to po is acycle. A point p is said to be reachable from a point q if there is a path from q 


to p. 


Before we make the definition, recall that in an execution, each event has its real time 
of occurrence; since in clock synchronization systems each event has a unique processor in 


which it occurs, we also have a unique local time of occurrence for each event. 


Definition 3.5 (Patterns and Views) Given an environment automaton A, a view is a 


pair (G, local_time), where: 


e G = (V,F) ts a directed graph. Each point p € V is either an action of a send 
automaton in A, or a null point that is said to occur at some processor. The arc set 
FE is such that for each processor v, the subgraph induced by the set of all points that 
occur at v is a directed path; in addition, for each Receive_Message,(m) point in V 


there is an arc (Send_Message\,(m), Receive_Message\(m)) EK. 


e local_time is a mapping from the point set V to R. For a point p € V, local_time(p) 


is called the local time of p. 


A pattern is a triple (G, local_time, now), where (G = (V, FE), local_time) is a view, and now 


maps the points of V to Rt. For a point p€ V, now(p) is called the real time of p. 


Note that views and patterns contain only actions of the send automata. This information 
is sufficient, since by the non-interfering filtering property, CSAs must relay messages in- 
stantaneously between the send automata and the links. In addition, recall that actions 
of the links contain the messages “piggybacked” by the CSA modules, and therefore the 
message contents depend on the specific CSAs in the system. In our definition, the view or 


the pattern of an execution of an environment automaton is independent of the CSAs. 
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(a) (b) 


receive_message(m) send_message(m) 


local_time=1 local_time=—1 
m now=2 now=0 
distinguished null point 
event ‘ 
local_time=2 
, now=2.5 
m 
local_time=3 local_time=8 
now=3.5 now=9 
s v send_message(m’) receive_message(m’) 


Figure 3-11: An example of a scenario (a) with its pattern (b). Without the now attributes 
of the points, the pattern is a view. 


Example. Let us exemplify the concepts of views and patterns using a scenario that was 
mentioned in the Introduction. We have a system that consists of two processors s and v, 
connected by a bidirectional communication link. In Figure 3-11 (a) we give a time-space 
diagram of the following scenario. At real time 0, processor v, whose local clock shows —1, 
sends a message m to s; processor s receives m at real time 2, when its local clock shows 1. 
Some distinguished event occurs at s at real time 2.5, when its local clock shows 2. (This 
event may be an internal event such as flipping a bit, or just the fact that the local clock 
shows 2.) At real time 3.5, when the local clock of s shows 3, s sends a message m’ to v; 
m’ is received at v at real time 9, when its local clock reads 8. 

In Figure 3-11 (b) we give an illustration of the pattern based on this scenario, with a 
null point for the distinguished event. If we remove the now attributes of the points in the 


pattern, the result isa view. ff 


Remarks. 

1. Null points in views have only two attributes, namely site of occurrence and local 
time of occurrence. (In patterns, they also have real time of occurrence.) Null points will 
be used to enable us to refer to points in which there is no action of the environment. 

2. Notice that given an execution of the environment automaton (or a clock synchro- 
nization system), its pattern and its view (without null points) are naturally defined, where 
for each event there is a point, and for each point there is an outgoing arc connecting it 
to the point that corresponds to the next event that occurs at the same processor (if such 
a point exists), and each receive point has an incoming arc from the the send point of the 


corresponding message. Similarly, we can speak about the view of a pattern. 
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3. The reachability relation in views and patterns of executions is essentially the “hap- 
pened before” relation described by Lamport [16]: a point p is reachable from a point g in 


the graph of a view of an executions if and only if g “happened before” p. 


Introducing null points into views and patterns. We shall introduce null points into 
views (and patterns) by stating their processor of occurrence and local time (for patterns, 
we shall also state their real time). We use the following convention: when introducing into 
a view V a null point p, that occurs at a processor v at local time T,, the resulting view 
contains a new point only if there is no other point in V that occurs at v at local time T,. 
In case V is extended, the modification of the arc set is naturally given: let po be the point 
that occurs at v with highest local time such that local_time(po) < T,, and let p, be the 
point that occurs at v with smallest local time such that local_time(po) > T,. In the view 
that contains the null point p,, we have the additional edges (po, p, ) if po exists, and (py, p1) 
if p, exists, and we delete the arc (po, p1) if both pp and p; exist. 


We follow the same procedure when introducing null points into patterns. 


3.2.2 Local Views 


The motivation for the definition of a view is algorithmic: CSA modules have access only 
to the information contained in views, as opposed to patterns. (A precise statement of 
this intuition is formalized in Theorem 3.4.) However, views are defined with respect to a 
complete execution, while we shall usually require CSA modules to produce output before 
an (infinite) execution is over... To capture this idea, we define the concept of local view at 


a point. 


Definition 3.6 (Local View) Given a view V = (G, local_time) and a point po € VY, the 
local view of V at po, denoted prune(V, po), is the restriction of V to the points p’ such that 
po is reachable from p' in G. The local view of V at processor v at time 7’ is defined to be 


prune(V,p,), where p, is a null point that occurs at v at local time T. 


For clock synchronization systems, as defined in this chapter, we have the important 
property that any local view of an execution may actually be the view of the full execution. 
We prove this formally in Theorem 3.2 below. 

First, we define a notion of pruned execution. Informally, the pruned execution of an 


automaton A in a clock synchronization system with respect to some point p is the portion 
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of the execution of A that “happened before” p. An additional complication in the definition 
is due to the fact that in a view, only actions of the send automata are present; the actions 
of the link and CSA modules are inferred by the the non-interfering filtering property of 
the CSAs, which matches Receive_Message and Send_Message events (of send modules and 


CSAs) with Receive_Aug_Message and Send_Aug_Message events (of links and CSAs). 


Definition 3.7 Lete be an execution of a clock synchronization system S, and let p be any 


point ine. The pruned execution of an automaton A with respect to p, denoted prune(e|,, p), 


is defined as follows. 


e If A is a send automaton, then prune(e|,,p) ts the prefix of e|, up to the last event 


q such that p is reachable from q in VY. 


e If A isa CSA automaton at a processor v, then prune(e|,4,p) is the prefix of e|4 up to 


the event which corresponds to the last event in prune(e 


B,,P), where B, is the send 


module at v. 


e If Aisa link automaton connecting processors u and v, then prune(el,4, p) ts the prefix 


of e|4 up to the last event in either prune(e 


C,»P) or prune(elc,,p), where C, and C, 


are the CSA modules at v and u, respectively. 


Note that if p is an event of A, then the last action in prune(e|,,p) is p. 


We can now state and prove the property of local views. 


Theorem 3.2 Let V be a view of an execution e of a clock synchronization system, and let 
p be any point (possibly a null point) in V. Then there exists an execution e' of the system 


whose complete view is prune(V, p), and such that for each CSA module C,, prune(e 


CP) = 


prune(e’|c,,p). 


Proof: We start by defining executions for each component of the system separately. 


Consider an arbitrary send module A,. By the specification of send modules, it is clear 


that prune(elc,,p) can be extended to a full execution e',, of A, with no events other than 


the ones in prune(e|c,,p). Furthermore, this can be done in a way such that e|4, and e’,, 
have the same clock functions (cf. Def. 2.12). 
Next, consider a link automaton L,,,. Since link automata can drop messages arbitrarily, 


we have that for any execution e,,, of L,, and for any point q,, there exists an execution 
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e,,,, Such that e, and e;,, have the same view up to point qg,, and such that in ef} there 


are no Receive_Aug_Message events after ¢,. We thus get executions of e; for all links 


Liu, whose views agree with V for all points up to the last point in prune(e|,,,, p). 


Using Corollary 2.4.1, we can obtain from the executions e!,, of all send modules A,, 
and from the executions e; of all links L,,,, an execution ej of the environment, that has 


view prune(V,p), and such that e, and e have the same clock functions. 


Consider now a CSA module C’,, at a processor v. We can extend prune(elc,, p) to a full 
execution e( of C, that has the same clock function as in e|c,, and in which no further input 


actions are taken. Since all the output actions C, may take, by the non-interfering filtering 


property, are in e%,, it must be the case that e|, has the same view as prune(e|c,, p). 


By construction, the execution e!, of the environment and the executions e,, of the CSA 
modules C, agree on the actions and the clock functions of the sites they share. Hence, 
using Corollary 2.4.1 once again, we can obtain an execution e’ of the system, whose view 


is prune(V,p). ff 


3.2.3. Representation of Real-Time Specification 


Our next step is to give a more convenient representation for the real-time specification of an 
environment automaton. Recall that we have modeled real-time specifications using clock 
drift bounds (denoted g and 6) and message latency bounds (denoted L(m) and H(m)). In 
this section we state these specifications as bounds on the difference between the real time 
of occurrence of pairs of points. 


We shall make frequent use of the following concepts. 


Definition 3.8 (Actual and Virtual Delays) Let p and q be two points of a given pat- 
tern P. The actual delay of p relative to q in P, and the virtual delay of p relative to q in 
P, are defined by? 


act_delp(p,q) = nowp(p)— nowp(q) , 


virt_delp(p,q) =  local_timep(p) — local_timep(q) . 


“Throughout this work, we use the following rule when defining a difference of two quantities: F(t,y)= 
f(z) — f(y), ie., subtract the second quantity from the first. 
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The definition of virtual delays extends naturally when we are given only a view. 


We also use the following notion. 


Definition 3.9 (Adjacent Points) Two points p,q in a given view V = (G, local_time) 


are called adjacent points if there is a directed arc between them in G. 


More intuitively, the above definition (in conjunction with Def. 3.5) says that two points 
are called adjacent if they occur one after the other in the same processor, or if one is a 
send event and the other is the corresponding receive event. 


Using the above definitions, we define the key concept of bounds mapping. 


Definition 3.10 (Bounds Mapping) A bounds mapping for a view V is a function B 
that maps every pair p,q of adjacent points in VY to a number such that —co < B(p,q) < ow. 


A pattern with view V is said to satisfy B if for all pairs of adjacent points p,q we have 


act_del(p,q) < B(p,¢q). 


The general notion of bounds mapping as defined above is not necessarily related to 
the real-time specification of the environment. The connection is made in the notion of 


standard bounds mapping, defined as follows. 


Definition 3.11 Let B be a bounds mapping for a view VY of an execution of a clock syn- 
chronization system. B is said to be the standard bounds mapping for V if the following 
holds. 


e For a message m with send point p, receive point q, and latency bounds L(m) and 


H(m), we have B(q,p) = H(m) and B(p,q) = —L(m). 


e Let p be the immediate predecessor of q at a processor with (9,0)-clock. Then B(q,p) = 


virt_del(q, p)/o, and B(p,q) = virt_del(p, q)/9. 


The following lemma can be thought of as the “soundness” of the standard bounds 


mapping. 


Lemma 3.3 All patterns of executions of an environment satisfy their standard bounds 


mapping. 
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Proof: By definitions. J 


Remarks. 

1. It is clear from Definition 3.10 that the notion of bounds mapping is in fact more 
general than the notion of real time specification used so far: using bounds mapping, we 
can model clocks with drift bounds that are not fixed. 

2. The standard bounds mapping has the property of being stated in terms of quantities 
that are available to the CSA, either as system specification (ie., L(m), H(m),@, @), or as 


the local times. Consequently, we may assume without loss of generality that given an 


environment, the standard bounds mapping can be used in specifying CSA modules. 


3.3. The Completeness of the Standard Bounds Mapping 


In this section we state and prove the main property of the system we shall use for proving 
lower bound results. First, we show that if a given pattern has a view of some execution 
of the system, and if it satisfies the timing specification of the system, then in fact there 
exists an execution with that pattern. This can thought of as a richness property of the 
set of executions of the system. In addition, the theorem below says that regardless of 
the underlying execution, the basic state of CSA modules (which determines the output) 


depends only on the view of the execution. To this end, we introduce the following definition. 


Definition 3.12 Two executions e = woTw,... and e' = wymjw)... of a CSA are said to 
be equivalent if the following conditions hold. 


(1) For alli, we have x; = x} and local_time(a;) = local_time(1‘). 


(2) For alli, for any state s in the range of w; and any state s’ in the range of wi, we 


have basic(s) = basic(s’). 


Condition (1) says that for all 7, the ranges of local times in the corresponding trajectories 
w; and w) are the same. Also, recall that by the real time blindness of CSAs, the basic 
component of the state is constant over a trajectory, and hence Condition (2) above says 
that for all i, the basic components of the state in the corresponding trajectories w; and wi 
are the same. 

The following theorem can also be viewed as a converse to Lemma 3.3. In a sense, we 


show that the standard bounds mapping is complete with respect to a view. 
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Theorem 3.4 Let V be a view of an execution e of a clock synchronization system S, and 
let B be the standard bounds mapping for V. Let P be any pattern of the environment 
automaton with view V. If P satisfies B, then there exists an execution e' of S with pattern 


P. Moreover, for each CSA module C,, the executions of C, ine and e' are equivalent. 


Proof: The proof is straightforward, but somewhat tedious. Our strategy to construct e’ is 
as follows. We first construct individual executions for the send modules, the link automata 
and the CSA modules of S, based on P’ and on e. Then we apply Corollary 2.4.1 and get 
an execution e’ of S with the required properties. The idea is that pairs of real and local 
times given in P can be used — by interpolation — to define complete clock functions for the 
desired execution e’. With these clock functions, we get executions of the send automata 
and the CSA module quite easily, since they are real-time blind. For the link automata, 


some extra work is needed, because their state is affected directly by time passage. 


Defining clock functions. We define a function local_timel, : R+ — R for each site v € 
sites(S). These functions describe the local times at the sites as a function of real time. 
(Whereas a clock function is usually defined in terms of an execution, here we first define 
the clock function and then proceed to construct the execution.) Some values of the clock 
function are already specified by the pattern; intuitively, our construction simply connects 
these values by linear interpolation, with (possibly) some special treatment of the first and 
last segments. Formally, for each site v, we define a local clock function local_time’,(t) for 


all ¢ > 0 using the given pattern P and the following rule. 


1. Ifthere exists in P some point p; that occurs at v with now(p;) = t, we set local_time’,(t) 


to be local_timep(p;). 


2. Otherwise, let po be the point in P with maximal real time such that pp occurs at v 
and now(po) < t. Let to = now(po) and Ty = local_time(po). If there is no such point, 
to and 7p are undefined. Similarly, let p, be the pont in P with minimal real time 
such that p, occurs at v and now(p,) > t. Let t; = now(p;) and T; = local_time(p,). 
If there is no such point, t; and 7, are undefined. We distinguish among the following 


cases. 
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(a) If both po and p; are undefined (i.e., no point occurs at v), we define for all t > 0, 
local_time’,(t) =e-t, 


where ¢ is any constant in the range [o ,,]. 


(b) If only po is undefined (i.e., ¢ is smaller than the real time of the first point that 


occurs at v), we define 
local_time),(t) = T, — c+ (t, —t) , 


where c’ is any constant in the range |g , 0, ]. 


(c) If only p; is undefined (i.e., ¢ is larger than the real time of the last point that 


occurs at v), we define 
local_time),(t) = Ty + c+ (t — to) , 


where c” is any constant in the range [9 , 0,]. 
(d) If both po and p; are defined (i.e., there are points that occur at v with real time 
strictly less and strictly more than t), we define 


T, — To 


local_time!,(t) = Ty + (t — to) - hd 
1 — bo 


Notice that local_time’, is well defined in case (2d) since to < t < t,. It is straightforward 
to verify that the local clock functions thus defined are continuous. Also, since @ > 0 and 
since P satisfies the standard bounds mapping, we get that the local clock functions are and 
monotonically increasing. Therefore, local_time’, is invertible (at least) on [T3, 00], where 
T; is the local time of the first point in P that occurs at v (if it exists). We denote the 
inverse function by by local_timey'. 

This concludes the definition of the local clock functions. Using these functions, we next 
define executions of the individual components of the system. The idea is to use the original 


execution e, keep the local times of the points, but “shift” and “stretch” the real times so 


that they agree with P. 
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Send modules. We now construct an execution e',, of a send module A, that agrees with 
P. Most of the work was already done in the definition of the local clocks, since the state of 
a send module consists merely of local and real times. More specifically, let the subsequence 
of actions of A, in P be Pa, = (a7, 73...). Since A, has no internal actions, all its steps are 
specified by P4,. To get a complete description of the desired execution ey, = (we mPwy -...) 
of A,, we need only to specify the trajectories w?. Recall that the state of a send module is 
a pair (now, local_time) of real and local time. Let 7 > 0, and let now(7;) < t < now(mi41), 
where we define now(z?) = 0, and if there is no 74, we define now(m;41) = co. Then we 
define the trajectory w? by w°(t) = (t, local_time/,(t)). 

It is straightforward to see that e!,, thus constructed is an execution of A,: we first 
need to check that w? is a trajectory for all i > 0. This is easy, since the only restriction 
on time passage steps is that they observe the drift bounds, and this is guaranteed by the 
construction. Since the discrete actions have no effect on the state, all that remains to be 
verified is that w°(0) is a start state, which is true because now(w}(0)) = 0 by construction. 
CSA modules. Consider a CSA module at site v, and let eles, = (wotfw...) be the 
projection of e on that module. By Lemma 2.3, e|cs,4 is an execution of the CSA. We now 
construct another execution e464 = (wf rCwf ...) of the CSA, which agrees with P on the 
visible actions. The first step in the construction is to fix the sequence of actions in e664 
to be the same as in e|csa4. To complete the specification of e4.,,, we need to define the 
trajectories. 

It is convenient to first define local and real times for the steps. For the visible steps in 
€uga,, we have local and real times already specified by P. For internal steps, the idea is 
to keep the local times as in e, and to set the real time to be in accordance with the local 
clock functions defined above. Specifically, let © be an internal step of the CSA. We abuse 


notation slightly and denote by local_time local clock function in e at site v. We define 


elosa 


Cc 


local_time.:,_ (mF) = local_timecjog, (TF ) - 


To set the now component, we use the inverse of the local clock function as follows: 


Cc 


now. (Tj) = local_time;, ‘(local time cjcg4(™!)) (3.1) 
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ice., the real time of occurrence of an action 7° is given by the unique ¢ such that local_time’, (t) 
is the local time of occurrence of 7© in eles4 (we shall see later that this number is well 
defined). 

We now define the trajectories wf in e&,, for all i > 0. Again, we use el¢s4. More 
specifically, to define a trajectory w© in e4.,,, we use the parallel trajectory w; in eleg4 as 
follows. Let t € [now(r{), now(x§,,)] for any ¢ > 0 (where we define now(z{) = 0 and if 


T&, does not exist, we define now(t&,) = oo). The trajectory wf is defined by 


now, (wr (t)) = ¢t 


© 
Q 
oo 
oo} 
ae 
ae 


local_time._ (w; local_time’,(t) 
CSA 


basics, (we (t)) = basice..,(wilt’)) . (3.2) 


where ?¢’ is any number in the domain of w,. 
Let us show that our construction is well defined. First, note that since e|cs,4 is an execu- 
tion of a CSA, its initial state must be quiescent, and hence, by Lemma 3.1, rf is not an in- 


ternal action of the CSA. Therefore, there is a step of the send module in P whose local time 


Cc 1 


is local_time(xf), which implies that local_time,* is defined over [local_time.|..,(7f ), 0]. 
This, in turn, implies that Eq. (3.1) is well defined. Finally, note that by real-time blindness, 
the basic component of the state of a CSA is fixed throughout a trajectory, and therefore 
Eq. (3.2) is not ambiguous. 

Next, notice that conditions (1) and (2) in the statement of the theorem are satisfied by 
the construction. This is true since for all i > 0, all the states in the range of wf have the 
same basic component, which is the same as the basic component of all states in the range 
of w;; in addition, for 7 > 1, the intervals of local times in wf and w; are the same. 

We now show that e.,, is an execution of the given CSA. To show that we use heavily 
the real-time blindness property. First, we prove that w® is a trajectory of the CSA for 
alli > 0. Let s; = w©(t) and be s, = wf(t') be two states, where t < t’. Let st and s% 
be the states in the corresponding trajectory w; that satisfy local_time(s]) = local_time(s,) 
and local_time(s}) = local_time(sz). This is possible since by construction, w; and w} agree 
on the local time in their endpoints, and since the local clock function is continuous. Also 
by construction, basic(s,) = basic(s}) and basic(s.) = basic(s}); moreover, it is easy to see 
that local_time(s.) — local_time(s,) € [o(t’ — t), a(t’ — t)] by the assumption that P satisfies 
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the standard bounds mapping. Since s* — s3, we get from the real-time blindness of the 
CSA and that s,; % s), as required in this case. 

Consider now a discrete action 7°. Let s, = I_state(wf,), 52 = fistate(w®), sf = 
[_state(w;_1), and s3 = f_state(w©). By construction we have that s, and sj may differ 
only in their now component, and similarly s) and s3. From the construction we also have 
that now(s,) = now(ss) and local_time(s,) = local_time(s2). Since we know that sj ms $3, 


ae 
we get from real-time blindness that s; + s., as required for this case. This completes the 


proof that e&s, is an execution of the CSA. 


Link automata. Consider now a link automaton L,,. By the non-interfering filtering prop- 
erty, in e there exist natural bijections between the Send_Aug_Message, actions of [,,, and 
the Send_Message,, actions of A,, and between the Receive_Aug_Message, actions of Ly, 
and the Receive_Message, actions of A,. Since all the actions of A, and A, appear also in 
P, using these bijections we can define a sequence P,,, = (af, 74...) which contains all 
the actions of L,,, that correspond to actions of A, in P. Notice also that using these bijec- 
tions, each event in P;,, inherits a now component, and that the causality mapping y can 
be extended so that for each Receive_Aug_Message event p there is a Send_Aug_Message 
event q satisfying g = 7(p). We use these extended notions in the construction below. 

Our goal is to construct an execution ef, = (wi afwf...) of Ly, that agrees with Pr,,. 
Similarly to the case of send modules, L,,, has no internal steps, and hence all the steps 7 


are already specified by P;,,. It remains to specify the trajectories of e; |. We shall use 


the following notation. 
Notation 3.13 The contents of the multiset Qu, at state s is denoted Q(s). 


We define Q((wi(0)) = 0, and now(wi(0)) = 0. The rest of the construction is done 


inductively. Suppose that f_state(w) is defined. For t in the domain of w/, we define 


2? 


now(wh(t)) = t, and Q(w*(t)) is defined by a bijection from Q(f_state(w*)) using the 


a 


following rule: 
Q(f_state(wh)) 3 (m,,m2,t!) —+ (m,mo,t! —t + f.new(w))) € Q(wh(t)). (3.3) 


In other words, the third component ¢’ in each triple (m1, mz, t’) stored in Q,,, at the start 


of wf is reduced by the amount of time that has elapsed since the start of w’. To define 
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the start state of trajectories w/ with i > 0, we define Q(f_state(w})) as a modification of 
Q(l_state(w;_1)), with the help of the (extended) causality function y. Specifically, suppose 
first that tf = Send_Aug_Message(m,,mz2). Then we define 


Q(f_state(wy)) = Q(I_state(w;_1)) U {(m, mo, act_del(ny ,77)) + (a7) = af} . (3.4) 


In words, Qy, is augmented by one triple for each copy of (m1, mz) that will be received in 
the future, as specified by 7. 


If * = Receive_Aug_Message(m,, mz), we define 


Q(w(t)) = Q(L_state(w;_1)) \ {(m1, m2, 0)} . (3.5) 


In words, one copy of (m1, ™mz2,0) is removed from Q,,,. We show below that (m1, mz2,0) € 
Q(l_state(w;_,)) in this case. This concludes the con of e;. 
We now have to show that eis an execution of L,,. The key to the proof is a certain 


invariant; to state it, we introduce another piece of notation. 


Notation 3.14 For a state s ine, , R(s) is the set of all Receive_Aug_Message events 


that occur after state s and such that for all p € R(s), y(p) occurs before s. 
With this notation, we state the following invariant, parameterized by a state s of ef: 


Invariant Z(s): There exists a bijection R(s) — Q(s) that maps each (mj, m2, t) € 
Q(s) to a step tf € R(s) such that t’ = Receive_Aug_Message(m,, mz) and 


now(m?) — now(s) = t. 


As a preliminary observation, notice that Z(s) implies that for all (m1,mz2,t) € Q(s) we 
have t > 0, which implies that s € states( Ly, ). 

Our first step is to prove that if Z(f_state(w/)) holds for some i > 0, then wf is a 
trajectory for L,,,. Consider two states s = w/(t) and s’ = w*(t’) where t < t’, and suppose 
Z(s) holds. We argue that for all (m,m2,t) € Q(s), we have that ¢ > now(s’) — now(s): 
for suppose not, i.e., there exists a triple M = (m,,mz,t) with t < now(s’) — now(s). Then 
by Z(s), the corresponding Receive_Aug_Message(m,, mz) event Ty occurs after s, and for 
that event we have now(a/) = now(s) + t < now(s’). It follows that now(s) < now(a}) < 


now(s’), contradicting the assumption that s and s’ are states on the same trajectory, i.e., 
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that there is no discrete action that occurs between them. Using this fact, it is easy to 
verify that (s,v,s’) € trans(L,,) according to the construction above. 

Next, we show that if Z(s) holds, and s — s’, then Z(s’) holds. Let h be the bijection 
between R(s) and Q(s) that satisfies the requirement of Z(s). Let g be the bijection induced 
by the construction between the elements of Q(s) and Q(s’). More specifically, g is the 
bijection defined in Eq. (3.3). We thus define h’ to be the composition of h and g. It is 
straightforward to verify that h’ satisfies the requirements of Z(s’). 

We have proven that if Z(f_state(wh)) holds, then Z(w*(t)) holds for all ¢ for which 
w(t) is defined, and in particular, Z(l_state(w)) holds, if it exists. We now show, by 
induction on 7, that Z(f_state(w!)) holds for all 7 > 0. Trivially, Z(f_state(w%)) holds 
because Q(w*(0)) = 0. For the inductive step, let 7 > 0. By the previous claim and the 
induction hypothesis, Z(s) holds for s = I_state(w,). Let h denote the bijection that 
satisfies Z(s). Let s’ = f_state(w*). To show that Z(s’) holds, we define a bijection h’ for s’. 

Suppose first that t/ = Send_Aug_Message,(m,,mz). Then by construction Q(s’) D 
Q(s). Furthermore, by Eq. (3.4), there exists a bijection f between Q(s’) \ Q(s) and 
R(s') \ R(s). We can therefore define h’ to be the extension of h by f, and Z(s’) in this 
case, 

Suppose now that #/ = Receive_Aug_Message,(m1,mz). Notice that by the definition 
of R(s), we have t/ € R(s). Also, by Z(s), we have M = (m,,m2,0) € Q(s). Moreover, 
it must be the case that h(M) = x. By Eq. (3.5), we have that Q(s') = Q(s) \ {M}, 
and by definition, we have that R(s’) = R(s)\ {/}. We can therefore define h’ to be the 
restriction of h on Q(s’) and R(s‘), and h’ satisfies the requirements of Z(s’). This completes 
the inductive step. 

Finally, note that the fact that Z(l_state(w})) holds for all ¢ > 0 implies that by con- 
struction, 


(I_state(w}), mi, ,, f-state(wj,,)) € trans(Luv) - 


We conclude the argument that e; is an execution of L,, by observing the trivial fact 


that wi(0) is a start state of Luy. 


Concluding argument. To conclude the proof of the theorem, we argue that there exists an 
execution e’ of S such that its projections on the send automata, link automata, and CSA 


automata are the executions constructed above. To do that, we first extend P to be a form 
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for S. This is straightforward: we insert into P all visible actions of the sub-executions we 
constructed, and for each point, we extend the local time to be a times form using the local 
clock functions. Also, we define a form for S with start real time ¢, = 0 and finish real time 
t; = 00; for all v € sites(S) we define local start times T,(v) = local_time’,(0), and local 
finish times T;(v) = oo. Now, to apply Corollary 2.4.1 all that remains is to verify that 
the local times in the sub-executions constructed above agree on shared sites; but this is 
immediate, since for each site we used the same local clock function. Therefore, there exists 


the desired execution e’. J 
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Summary 


In this chapter we defined clock synchronization systems, using the mixed I/O automata 
formalism. Our model is geared towards the local competitiveness analysis presented in 


Chapter 4. Intuitively, the basic assumptions of the model are as follows. 


e The system has an underlying communication graph over which messages are com- 


municated. 


e Each processor has a local clock with known bounds on the rate of progress, called 


clock drift bounds. 


e When a message is received, there are known bounds on its time of transit, called 
message latency bounds. However, messages may be lost, duplicated, and delivered 


arbitrarily out of order. 
e Send events are generated arbitrarily by a send module at each processor. 


e The clock synchronization algorithm at each processor, abbreviated CSA, may only 
append information to outgoing messages, and strip the corresponding information 
that arrives on incoming messages. CSAs may not interfere with message traffic 


otherwise, and their only access to time is via the local clocks. 


We also defined the following concepts. 


e An environment is the composition of all send modules and communication links. 


Thus an environment controls send and receive events. 


e A pattern of an execution of an environment is a directed graph that describes the 
execution, where each event is a point, and for each point we have local and real time 


of occurrence. 


e A view is a pattern without the real time attribute for points. Views of executions of 
environments contain information that can be used by CSAs for computation, while 


the real time information in patterns is available only for analysis. 


e a local view at a point p is the restriction of the view to all the points that “happened 
before” p (as defined by Lamport [16]). We proved that any local view of an execution 


may be the view of a full execution of the system. 
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e The virtual delay of a pair of points, denoted virt_del, is the local time of occurrence 


of the first point minus the local time of occurrence of the second point. 


e The actual delay of a pair of points, denoted act_del, is the real time of occurrence of 


the first point minus the real time of occurrence of the second point. 


e Two points are called adjacent if either they occur at the same processor one after the 


other, or they correspond to the send and receive event of the same message. 


A bounds mapping for a view specifies time upper bounds for the actual delays of 
adjacent points. Bounds mapping describes lower bounds as well, by reversing the 


order of the points. 


e The standard bounds mapping is the “official” bounds mapping, derived from message 


latency bounds, clock drift bounds, and local times. 


We also proved the fundamental theorem of our model, which says that all the patterns 
with a given view which satisfy the standard bounds mapping, are possible patterns of 
executions of the system. The theorem also implies that the output of CSAs depends only 


on the view of the execution. 
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Chapter 4 


Problem Statements and Quality 


Evaluation 


In this chapter we define the synchronization tasks considered in this thesis, and the way 
we evaluate the performance of synchronization algorithms. As we shall see, there is a 
natural concept of tightness of synchronization for the clock synchronization problems we 
define; the tightness is measured in non-negative real numbers, and an output will be 
considered “good” if its tightness is small. However, it is not clear a priort what is the 
input for synchronization algorithms. One classical answer for this question is that the 
input is the system specification. A typical example for this approach is the paper by 
Halpern et al. [13], where designing a synchronization algorithm is viewed as a “game 
against nature:” an algorithm is called optimal if it produces the best output under the 
worst-case scenario allowable by the system specification. This approach has the appealing 
property of robustness, but it may give rise to algorithms that produce the best worst-case 
result always, even if the actual execution does not happen to be the worst possible (the 
algorithm given in [13] has this property). This is a disadvantage if the environment is not 
necessarily adversarial, as may be the case for clock synchronization systems. 

Another approach, developed by Attiya et al. [3], is that the input for a synchroniza- 
tion algorithm is not only the system specification, but also the actual execution, or more 
precisely, the view of the execution.' In this approach, an algorithm is called optimal if it 

Recall that views consist of the events and their local times of occurrence, while executions contain also 


the real times of occurrence, which is not available for computation (see Def. 3.5). We remark that Attiya 
et al. used the term execution to denote the concept we call view. 
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produces the best possible output for each given input, i.e., for each possible view of an ex- 
ecution (and the system specification for that view). The latter approach is more attractive 
since an optimal algorithm in this sense has a stronger guarantee of output quality than 
the guarantee made by an optimal algorithm in the former sense. 

Both approaches of [3] and [13], however, suffer from an important disadvantage, which 
is that the algorithms they consider are centralized and off-line. More specifically, the 
algorithms are based on the implicit assumption that all input has been gathered and it is 
available at a single processor for computation. This is clearly a drawback, since the output 
of clock synchronization algorithms typically needs to be available all the time, i.e., on-line. 
For example, in the approach of [3], the input is a view of the execution, which contain 
certain messages. Notice that this view can be made available at a single processor only 
if more messages are sent, in which case the view is necessarily extended. Thus an output 
considered optimal for a view may not be optimal when that view is extended to enable 
computation. 

The approach we present in this chapter can be viewed as a combination of the optimality 
notion of [3] with the well-known concept of competitive analysis of on-line algorithms 
[32, 23], using Lamport’s causality relation [16]. More specifically, in competitive analysis 
the quality of the output produced by an on-line algorithm is evaluated at each point with 
respect to the input known at that point. In the centralized on-line setting, all past input 
is known, and the future input is unknown. In the distributed setting, even past input is 
unknown if it is remote and has not been communicated. We therefore define the input 
at a point to consist of what can be known locally (called local view in Def. 3.6). We 
measure the quality of the output of an algorithm A with respect to the quality of the best 
possible output for the given local view. We call the ratio between these quantities the local 
competitiveness of algorithm A. 

The remainder of this chapter is organized as follows. In Section 4.1 we give formal 
definitions for the synchronization tasks considered in this thesis. The definition of locally 
competitive algorithms is given in Section 4.2. In Section 4.3 we discuss the concept of local 


competitiveness in a more general setting. 
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4.1 Synchronization Tasks 


In this section we define the specific synchronization tasks we consider in this thesis, namely 
external and internal synchronization. For each problem we give a refined specification of 


the system architecture, a correctness requirement, and a definition of tightness. 


4.1.1 Definition of External Synchronization 


The motivation for external clock synchronization is systems where one of the clocks is 
assumed to show the standard time, and the goal is that all clocks in the system will show 
this standard time as accurately as possible. The name “external synchronization” stems 
from the assumption that the designated clock serves as a source of the external standard 
time into the system. Formally, we shall use the following definition. 

An external synchronization system is a clock synchronization system with the following 
properties. There exists a distinguished processor s, called the source processor, whose local 
clock is drift-free. A CSA module at each processor v has two output variables, denoted 
ext_I,, and eat_U,. 

For any given state x, let source_time(a) denote the local time at the source in x. The 
correctness requirement of an external CS'A at any processor v is that at every reachable 
state x, the output variables at v satisfy source_time(a) € [ert_L,, ext_U,]. 

The external tightness of synchronization at processor v at some state is the difference 
(eat_U, — ext_L,) at that state. 

Remark. An alternative formulation of the problem would be to require the CSAs to 
produce one number 7’ as an estimate of the current source time, and another number ¢ 
that bounds the current difference between the estimate and the source time. While the two 
specifications are equivalent if ext_L and eat_U are both finite or both infinite, we prefer 
the (eat_L, ext_U) formulation, since it is slightly more refined: in the case where exactly 
one of the numbers ext_L or ext_U is finite, the output according to the (7',¢) formulation 


is the same as for the case where both ert_[E and ext_U are infinite. 


4.1.2 Definition of Internal Synchronization 


We use a variant of the elegant definition of Dolev e¢ al. [7] and Halpern et al. [13], which 


we formulate as follows. (A discussion of the definition is given in Chapter 7.) 


72 


An internal synchronization system is a clock synchronization system, such that each 
CSA module has a special internal action called fire,, where v is the site of the module. 

The correctness requirement of the internal synchronization task is that first, each pro- 
cessor v takes a fire, action exactly once during an execution of the system. And secondly, 
the CSA at each processor maintains output variables called int_L, and int_U,, such that 
at all states, the real time interval [now(fire,) + int_L,, now(fire,) + int_U,] contains all 
the fire events in the execution. Intuitively, the output variables provide local guarantees 
for the tightness in which all fire actions are produced in the system. Initially, we will have 
int_L = —oo and int_U = oo, and during the execution, int_L may get larger and int_U 
may get smaller. 

The internal tightness at processor v in some state is the difference (int_U, — int_L,) 
at that state. The internal tightness of an execution at a processor v is the infimum of the 
internal tightness at v, over all states of the execution. The internal tightness of v in an 


execution e is denoted tightness, (e). 


4.2 Local Competitiveness 


Local competitiveness is our measure of quality of synchronization algorithms. Intuitively, 
an algorithm is said to be locally A-competitive if its output at any point is at most K times 
worse than the best possible for the local view at that point. We formalize this intuition 
for CSAs as follows. 

Fix a synchronization problem. As described in Section 4.1, each problem has a predicate 
that classifies CSAs as “correct” and “incorrect.” More specifically, the correctness predicate 
classifies executions as correct and incorrect; a CSA is correct if all its executions are correct. 

In Section 4.1 we also defined, for each synchronization problem, a function called tight- 
ness, that maps states of CSAs to R*™ U {oo}. By real-time blindness, the tightness is a 
function only of the basic component of the state. Recall that by Theorem 3.4, the ba- 
sic component of a state of a CSA module in an execution depends only on the view of 
the execution. Hence, given a CSA module (in either an internal or an external synchro- 
nization system), the tightness of the view at a given point is well defined. (If the CSA 
is not deterministic, then the tightness is a non-deterministic function of the local view.) 


Using the notions of correct CSAs and tightness of views, we define the key concept of local 
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competitiveness as follows. 


Definition 4.1 Let A be the set of all correct CS‘As for a given environment. LetO4(V,T) 
be the tightness of synchronization in executions with local view V of a processor v at local 
time T, for a system with a CSA module A € A. An algorithm A is said to be locally 


K-competitive if for all views V, processors v and local times T, 


O4v(V,T) < i -inf {O4,.(V,T) : Ag E A} . 


The least number K such that A is K-competitive is the local competitive factor of A. A 


locally 1-competitive algorithm is also called optimal. 


Remarks. 

1. Recall that our model definitions allow for nondeterministic CSAs, i.e., CSAs whose 
output is not a deterministic function of the view. In this case, the correctness requirement 
is that all possible executions are correct. On the other hand, we can define the tightness of 
a view to be the least tightness over all executions with the given view, which means that 
we consider the best possible choices made at the non-deterministic choice points, so long 
as they produce correct results. 

2. It is important to notice that in principle, there always exists a full information 
protocol which is optimal: in this algorithm, the processors send their complete view in 
every message; how to determine the output depends on the specific problem being solved, 
but clearly optimal output can be computed since all the relevant information is available 
locally at each processor, simply because all possible information is there! It is also clear, 
however, that the full information protocol is usually not practical. From the communication 
perspective, the message size blows up rapidly to fantastic lengths; and from the processing 
perspective, it may well be the case that extracting the output from the “full information” 
is computationally infeasible. The goal of the designer of a locally competitive algorithm, 
therefore, is to find what is the relevant information that must be communicated, and how 


to process it efficiently to obtain the desired output. 


74 


4.3 Discussion 


The local competitiveness setting described above is specialized for the two clock syn- 
chronization problems given. It is straightforward to generalize it for other optimization 
problems along the following lines. The analog for local clock would be some source that 
generates inputs; local time at a point would be replaced by the cumulative input up to 
that point. The non-interfering filtering property remains unchanged, which means on one 
hand that a locally competitive algorithm works for any given view, and on the other hand 
that it does not generate messages on its own. The local competitiveness definition can 
be generalized using any positive valued target function that measures the quality of the 
output. 

Approaches similar to local competitiveness were used in the past. For example, see the 
“best effort” algorithm of Fischer and Michael [9] for database management. (It may be 
interesting to note that the algorithm in [9] uses synchronized clocks.) Some other work was 
done by Ajtai et al. [2], after our preliminary paper was published [29]. Loosely speaking, 
in [2] they consider a shared memory system, where an execution is a sequence of processor 
accesses to the shared memory. The order by which processors take steps is given by an 
arbitrary schedule. A task is defined as a predicate over the output values, and a task is said 
to be completed when this predicate is satisfied. In the formulation of [2], the competitive 
factor of an algorithm is the maximum, over all schedules, of the total number of steps 
taken by the algorithm until the task is completed, divided by the minimal number of steps 
required by any correct algorithm to complete the task, under the same schedule. Our 
approach differs in a few technical aspects. First, our model is message passing and not 
shared memory; hence the analog of their “schedule” is our “view.” Secondly, we consider 
an optimization problem, where output must be produced at all times. Hence the quantity 
of interest for us is a target function defined over the output values, whereas in [2], the 
output values are of no interest (provided they are correct), and the implicit target function 
is the number of steps required to produce the output. 

Nevertheless, the local competitiveness approach is not widely accepted. One possible 
reason to reject it is that a locally competitive algorithm does not give an absolute guaran- 
tee but only a relative one. For example, in our formulation a locally competitive algorithm 


never initiates transmission of a message by itself. If no message is sent by the send module, 
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then the optimal algorithm may be trivial since the best possible output is trivial. This 
example points to a deeper problem in system design (shared also by the classical competi- 
tiveness model of [32, 23]): the question is to determine what is the input for the algorithm, 
and what is under the control of the algorithm. 

The reader should note, however, that a locally competitive algorithm must do well 
on all cases. In addition, the local competitiveness approach enables us to compare the 
performance of algorithms on equal grounds. For example, consider a system which is a 
ring of processors, and one algorithm that sends messages only clockwise, and another that 
sends messages only counterclockwise. It seems that the two algorithms are incomparable on 
a per-view basis, since effectively they run on different systems. However, if the algorithms 
are locally competitive, they must give good results on both cases. 

Another possible objection to the concept of local competitiveness is the validity of the 
“non-interfering filtering” assumption. This assumption says, among other things, that 
the transmission time of a message is independent of the message added by the CSA, and 
that CSAs relay messages between the send module and the network links instantaneously. 
Strictly speaking, this assumption is false in any physical system. Nevertheless, we argue 
that the non-interfering filtering assumption can serve as a reasonable approximation of 
reality so long as the blowup in message size, and the computation resources required by 
the CSA are negligible. 

We believe that the philosophy behind the concept of local competitiveness best suits 
network-maintenance protocols, e.g., topology update, or other routing protocols, where 
there is always something to be done. It is interesting to observe that in real networks, the 
message delivery system appends “headers” to messages to facilitate delivery. Ideal locally 


competitive algorithms would use such headers, extending them only slightly. 
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Summary 


In this chapter we defined the synchronization tasks we consider in this thesis and the way 
we evaluate the performance of algorithms that solve them. 

We defined the problem of external synchronization, in which all processors are trying to 
acquire tight bounds on the reading of one designated processor whose clock is drift-free. In 
the problem of internal synchronization, all processors need to make a distinguished action 
in the smallest possible interval of real time. For each problem we defined the system 
architecture, correctness requirement, and the measure of tightness. 

The quality of a synchronization algorithm is measured by its local competitiveness. 
The local competitiveness of an algorithm is the maximal ratio between the tightness it 
produces at any point, and the best possible tightness for the given local view at that point. 
The concept of local competitiveness can be viewed as a combination of the per-execution 
evaluation approach of [3], competitive analysis [32, 23], and the causality partial order [16]. 

We argued that this approach can be of independent interest as a method for evaluating 
distributed optimization tasks. We compared the concept of local competitiveness with the 


approach of [2], and we discussed some of its advantages and disadvantages. 
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Chapter 5 


The Basic Result 


The starting point for this chapter is the following problem: given two points in an execution 
of a clock synchronization system, find the tightest bounds on the real time that elapses 
between their occurrence. The means by which this task is to be accomplished is the CSA 
modules. The “input” available to the C5A modules consists of the events that occurred 
in the system with their local time of occurrence (i.e., the view of the execution), and the 
standard bounds mapping that represents the system timing specification for that view. 
Hence the task can be solved if we can find the set of executions with the given view. 

Our strategy to solve this problem is to reformulate the setting in graph-theoretic lan- 
guage, and solve a more general abstract problem. We first abstract views as labeled 
directed graphs, which we call v-graphs; the only attribute a point has in a v-graph is its 
local time. We also abstract patterns as labeled directed graphs, which we call p-graphs; 
in p-graphs, a point has both local and real time. Bounds mapping is now an abstract 
function that maps pairs of adjacent points in v-graphs to numbers. Using bounds mapping 
and v-graphs, we obtain weighted directed graphs we call synchronization graphs. Then, 
in Theorems 5.4 and 5.5, we prove a characterization of the set of p-graphs that have a 
given v-graph and satisfy a given bounds mapping, in terms of distances in the derived 
synchronization graph. These results are independent of the particular interpretation, but 
to aid intuition, our development is accompanied with an an example of an execution of a 
clock synchronization system. 

Then, in the main results of this chapter, we specialize to the case of views and patterns 


of clock synchronization systems. In Theorems 5.6 and 5.7, we use Theorems 5.4 and 5.5 
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in conjunction with Theorem 3.4, and prove that the relation proven for p-graphs and 
synchronization graphs holds for patterns of executions of synchronization systems and the 
synchronization graphs derived from the views and bounds mapping. Using Theorem 3.2, 
we also derive a corollary for local views (Theorem 5.8). 

Philosophically, synchronization graphs can be viewed as an extension of the graphs used 
by Lamport to describe executions of completely asynchronous systems [16]. Lamport’s 
eraphs are unweighted, and the main property of interest regarding a pair of points is 
whether one is reachable from the other. Reachability expresses the fact that in all possible 
executions which have that graph, one point occurs before the other. By contrast, we 
consider systems with clocks, and define graphs which are weighted. The main property of 
interest regarding two points is the distance between them: this distance expresses bounds 
on the real time that elapsed between their occurrence which is satisfied by all executions 
with that synchronization graph. 

This chapter is organized as follows. In Section 5.1 we present the notions of v-graphs, 
p-graphs, synchronization graphs and prove a relation between these abstract concepts. In 


Section 5.2 we derive the results for clock synchronization systems. 


5.1 Synchronization Graphs 


In this section, we define the notions of v-graphs, p-graphs, and synchronization graphs. 
V-graphs and p-graphs are abstractions of views and patterns, respectively. We give a 
natural correspondence between the abstract graphs concepts and their counterparts in 
clock synchronization systems. 

We define the key concept of synchronization graphs, which are weighted directed graphs, 
derived from v-graphs and bounds mappings for these graphs; synchronization graphs will 
be our main tool in analyzing executions of clock synchronization systems. The main results 
in this section relate p-graphs to the synchronization graph. The development in this section 
is self-contained; to help the reader in understanding the motivation for the concepts, we 
give arunning example from our intended application domain, namely clock synchronization 
systems. 


We start by defining the notion of v-graphs. 
Definition 5.1 A v-graph ts a pair (G, local_time), where G = (V, FE) is a directed graph 
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local_time=1 local_time=—1 


local_time=3 local_time=8 


Figure 5-1: An example of a v-graph. 


with (p,q) € E if and only if (q,p) € E, and local_time is a function that associates a finite 
real number with each point p € V. For any two points p,q € V, we define virt_del(p, q) = 
local_time(p) — local_time(q). A bounds mapping for a v-graph is a function that assigns a 


number B(p,q) € RU {oo} to each arc (p,q) € E. 


The natural correspondence: views and v-graphs. Before we proceed to analyze 
view graphs, we describe the way v-graphs can be obtained from views of clock synchro- 
nization systems. Recall that a view V, as defined in Def. 3.5, is a graph, where each point 
is labeled by an action name and local time of occurrence. Notice that by adding for each 
arc (p,q) in a view another arc (q,p), we obtain a v-graph. In the resulting v-graph there 
is some additional information attached to each point (i.e., the name of the associated ac- 
tion or null point), but this is irrelevant for our treatment of v-graphs. We call the above 
mapping from views to v-graphs the natural correspondence. In the sequel, points will be 
used to denote both points in view graphs and in views, where the interpretation is clear 
by the context. 

The natural correspondence enables us to use bounds mappings for views as bounds 
mapping for v-graphs (recall that a bounds mapping for a view is a function that assigns 
an upper bound to the difference in real time between the occurrence of any two adjacent 
points in V, see Def. 3.10). Under the natural correspondence, a bounds mapping for a view 


Y applies also to pairs of adjacent points in the v-graph of VY. 


Example. Consider a system with two processors wu and v, and suppose that wu has a 


drift-free clock, and v has a (0.5, 1.5)-clock. Consider the following scenario. 
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(1) wsends a message m, to v at local time —1, such that m, is guaranteed to be delivered 


within no less than 2 time units, and no more than 3 time units. 
(2) m, is received at v at local time 1. 


(3) v sends a message m, to wu at local time 3, such that ms is guaranteed to be delivered 
within no less than 5 time units, and there is no upper bound on its transmission 


time. 


(4) mz is received at wu at local time 8. 
The short description above provides sufficient detail to define a view, a v-graph, and 
a bounds mapping. Let s,, 5. denote the send points of m, and mz, respectively, and let 
r1,T) be their respective receive points. The corresponding v-graph is depicted in Figure 


5-1. Also, we have that 


virt_del(s,,r,) = —2 virt_del(r,,5,) = 2 
virt_del(S2,T2) = —5 virt_del(Ts, 8) = 5 
virt_del(s,,T2) = —9 virt_del(rs,8,) = 9 
virt_del(sy,7,) = 2 virt_del(r,, 52) = —2 


Let B’ denote the standard bounds mapping for the given view. Using Def. 3.11 we calculate 
the values of B’. We get 


BYsi,rm) = -2 Bim, 81) = 3 
B'(s9,%2) = —5 Br, 82) = 0 
B(s1,7r2) = —-9 Bre, 51) = 9 
BY(so,m) = 4 Bi(m1, 82) = —4/3 


We shall return to this example as we develop the analysis. J 

For the remainder of this section, we fix a v-graph 2 = (G, local_time) where G = (V, FE), 
and a bounds mapping B for @. 

Our next step is to define the concept of a p-graph as an extension of a v-graph, analogous 


to the way a pattern is an extension of a view. 


Definition 5.2 A p-graph with view @ is a triple a = (G, local_time, now,,), where (G, local_time) = 


B, and now, is a function that associates a non-negative finite real number with each 
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pointp € V.' A p-graph a with view @ is said to satisfy B if for all (p,q) € E we have 


def 


act_del,(p,q) = nowa(p) — now.(q) < B(p, 4): 
For a given p-graph, we define the key concepts of offsets. 


Definition 5.3 (Offset) Let p be a point in a p-graph a = (G,local_time, now,). The 
absolute offset of p is 


6a(p) = now,(p) — local_time(p) . 


For any other point q in a, the relative offset of p from q is 


b.(p, q) = 6.(p) _ ba(q) : 
We omit subscripts when no confusion arises. 


The natural correspondence: patterns and p-graphs. The natural correspondence 
defined above for views applies also for patterns. This way, given a pattern P as defined 
in Def. 3.5, its p-graph a is naturally defined. Moreover, using the natural correspondence, 
the notions of absolute and relative offsets, defined over the points of a, are also defined 
over the points of P, and we have that ép(p) = 6,(p) and ép(p,q) = 6.(p,¢q) for all points 
p,q. As an aside, notice that if we know local time of two points in an execution, then 
bounding the real time that elapses between their occurrences is equivalent to bounding 


their relative offset. 
Before we proceed, we state two properties of relative offsets. 
Lemma 5.1 Let p,q,r be any three points of a given p-graph. Then 


1. 6(p,q) = —8(q, p) (antisymmetry). 


2. 6(p,¢) = 6(p,r) + 6(r, ¢) (chain rule). 


Proof: Immediate from definitions. J 


‘The v-graph @ and the bounds mapping B are fixed in this section; since we shall be dealing with many 
possible patterns, the now function is subscripted by the pattern’s name. 
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local_time=—1 
now=0 


local_time=1 
now=2 


local_time=8 
now=9 


local_time=3 
now=3.5 


Figure 5-2: An p-graph with view as in Figure 6-1. 


Example (continued). Figure 5-2 shows a p-graph whose view is given in Figure 5-1. 
It is easy to verify that this p-graph satisfies the bounds mapping B’. Let us compute the 


offsets for this p-graph. First, we compute the absolute offsets of the points. We get that 


6(s1) = 1 6(r:) = 1 
6(so) = 0.5 Cs). ed 


Now we compute the relative offsets of pairs of points (reversing the order of the points 


negates the sign): 


6(51,71) = 0 6(51, 72) = 0 
6(S1, 52) = 0.5 6(171, 82) = 0.5 
6(71, 72) = 0 6( S89, 2) = —0.5 


| 
Next, based on the v-graph § = (G, local_time) and the bounds mapping B, we introduce 
weights for the arcs of G. The resulting weighted graph, called the synchronization graph, 


is our primary tool for analyzing executions of clock synchronization systems. 


Definition 5.4 (Synchronization Graph) The synchronization graph generated by the 
v-graph 3 and its bounds mapping B is a weighted directed graph , = (V,E,w), where 
(V,E)= G, and w(p,¢) = B(p,q) — virt_del(p, q) for all (p,q) € E. 


Example (continued). The synchronization graph generated by the v-graph in Figure 
5-1 and B’ is depicted in Figure 5-3. J 
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Figure 5-3: The synchronization graph generated by the v-graph in Figure 5-1 and B’. 


We now arrive at the main theme of this section, which is to study the connection 
between p-graphs and the synchronization graph. The following lemma states the basic 
property of arc weights of the synchronization graph. (Notice that since we have fixed 3 


and B, we also have now , fixed for the remainder of the section.) 
Lemma 5.2 [fa given p-graph with v-graph 0 satisfies B, then 6(p,q) € [-w(q,p), w(p, g)]- 


Proof: Since the p-graph satisfies B, we have that act_del(p,q) < B(p,q) and 
act_del(q,p) < B(q,p), and hence act_del(p,q) € [-B(q, p), B(p, q)]. Therefore, 


6(p,q) = (now(p) — local_time(p)) — (now(q) — local_time(q)) by definition 
= act_del(p,q) — virt_del(p, q) rearranging 
€ |-B(q,p) — virt_del(p,q) , B(p,q) — virt_del(p, q)| by assumption 
= [-B(q,p) + virt_del(q,p), B(p,q) — virt_del(p, q)| by antisymmetry 
= [-w(q,p), w(p, 9] - by definition 
| 


Our next step is to look at the natural concept of distance between points in the syn- 


chronization graph. Formally, we have the following (standard) definition. 


Definition 5.5 The weight of a path 6 = po,p...., py in a weighted graph , = (V,E,w) 
is w(6) = a w(pi-1, pi). A path from p to q is a shortest path if its weight is minimum 
among all paths from p to q. The distance from p to q, denoted d(p,q), is the weight of a 


shortest path from p to q, or oo if there is no path from p to q. 
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Notice that the distances are not well defined if , has cycles with negative weights. The 


next lemma gives a sufficient condition for , to have no negative-weight cycles. 


Lemma 5.3 /f there exists a p-graph a with v-graph B such that a satisfies B, then, has 


no negative weight cycles. 


Proof: Let 6 = (po, P1,---,Pk—1, Pk = Po) be any directed cycle in ,. Then 


w(O) = ha, w(pi-n, Pr) 
> ie ba (Pi-1, Pi) by Lemma 5.2 
= 64(Po, Po) by Lemma 5.1 
= 0. by definition 


| 
We now arrive at the first result for the problem of determining the set of p-graphs that 
satisfy B and have v-graph 3. The following theorem characterizes these p-graphs in terms 


of all distances in the synchronization graph. 


Theorem 5.4 A p-graph a with v-graph 6 satisfies B if and only if for any two points 
p,q € V in the synchronization graph, 6.(p,q) < d(p,q). 


Proof: Let a be a p-graph with v-graph @. Assume first that a satisfies B, i.e., for any 
(p,q) € E we have act_del.(p,q) < B(p,q). We show that 6.(p,q) < d(p,¢) for any 

p,q € V. In case that there is no path connecting p and q, we have d(p,q) = oo and we are 
done trivially. Otherwise, consider any shortest path p = po,..., py = q from p to q. Then 


we have that 


ba(P,q) = a ba (Pi, Pi41) by Lemma 5.1 
< a w( Pi, Pi+1) by Lemma 5.2 
= d(p,q) by definition 


proving the “only if” part of the theorem. 
Conversely, assume that for any two points p,q € V, we have that 6,(p,q) < d(p,q). We 
prove that a satisfies B. Let (p,q) € F. By definitions of arc weights and distances, we have 


that B(p,q) — virt_del(p,q) = w(p,q) > d(p,q). Hence, by assumption, we get B(p,q) — 
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virt_del(p,q) > d(p,q) > 6a(p,q) = act_del.(p,q) — virt_del(p,q). Adding virt_del(p,q) to 
both sides, we get B(p,q) > act_del.(p,q), as desired. Jj 


Example (continued). The distances in the synchronization graph of Figure 5-3 are 


given by 
d(s1,71) = 0 d(r,,s;) = 2/3 
d(s,8.) = 2/3 d(S2,5,) = 0 
d(s1,T2) = 0 d(r2,5:) = 0 
d(s2,T1) = 0 d(r1,82) = 2/3 
d(S2,T2) = O d(r2,82) = 2/3 
d(r2,71) = 0 d(ri,f2) = 2/3 


As the reader may verify, for the pattern of Figure 5-2 we have that 46(p,q) € [-d(q, p), d(p, q)| 
for all points p,q in the view. J 

Before we state the next theorem (which is the major result of this section), we define the 
following technical terms. The complicated-looking definition is due to the fact distances 


may be infinite. 


Definition 5.6 Suppose , has no negative weight cycles. Let a be a p-graph with v-graph 
B, let po € V, and let N > 0. 
(1) a is an N-p-graph from po if for allq € V: if d(po,q) < o then 6.(po,q¢) = d(po, q), 
and otherwise 6,(po,q) > N. 


(2) a is an N-p-graph to po if for allq © V: if d(q,po) < co then 6.(q, po) = d(q, Po), 
and otherwise 6.(q,po) > N. 


The offsets in an N-p-graph from pp are the distances from po, with infinite distances 
replaced by offsets larger than NV, and analogously for an N-p-graph to po. Using these 


notions, we state the following theorem. 


Theorem 5.5 Suppose , has no negative-weight cycles. Then for any point po € V, and 
for any finite number N > 0, there exist p-graphs ay and a,, such that both have view £, 


both satisfy B, and such that ag is an N-p-graph to po, and a, is an N-p-graph from po. 


* in which all distances 


Proof: To prove the theorem, we first construct a related graph , 
are finite. Based on , *, we define p-graphs a, and a,, and then show that a, and a, have 


the required properties. 
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To construct , *, we first choose a number M that is sufficiently large so as to satisfy 


M > N+ Yov(pq) - Yo wlp.9)- 


(Pp, QeE (p,qjVekE 
O0<w(p,g)<oo —co<u(p,q)<o 


Using M, we augment , with extra arcs as follows. For each pair of points p,q such that 
d(p,q) = oo, we add an artificial arc (p,q) with weight M. Call the resulting augmented 
eraph , *, and denote its distance function by d*. The following claim shows the connection 


between the distances in , *, the distances in ,, and N. 


Claim A. For all p,q € V, if d(p,q) < ow, then d*(p,q) = d(p,q), and if d(p,q) = 00, then 
N < d*(p,q) < ©. 


Proof of Claim A: We start (for future reference) with an inequality that follows directly 
from the choice of M. Let X and Y denote arbitrary subsets of the arcs of , with finite 


weights. Then 


M+ SDw(p,q) > max o lw(p, »| (5.1) 
(p,qex (p,qeY 
Next, we argue that the augmented graph ,* has no negative weight cycles. Suppose, 


* Then one of arcs of 


for contradiction, that there exists some negative weight cycle in , 
the cycle, say (p,q), must be an artificial arc, and there must be a simple directed path 
Z in ,* from qg to p with total weight wz such that M+ wz < 0. Let wy, be the sum of 
negative weight arcs of Z. Clearly, wz < wz. Also, by Eq. (5.1), we have that the sum 
of M and the weights of any subset of arcs of , is at least N. Since all artificial arcs have 
positive weight, we know that wy, is the sum of weights of arcs from ,. Therefore we have 
that M+wz>M+w,> N > 0,a contradiction. 


To show that the finite distances in , remain invariant in , * 


, we first note that since 
, is a subgraph of , *, it must be the case for all p,g € V that d*(p,q) < d(p,q). Suppose 
for contradiction that for some p,q € V with d(p,q) < oo we have d*(p,q) < d(p,q). Since, 
as we showed above, , * has no negative-weight cycles, we may assume that there exists a 
simple path in , * with length d*(p,q). Clearly, one of its arcs is artificial. However, by Eq. 
(5.1), this means that the total weight of that path is larger than the total weight of any 


finite-weight simple path in , , a contradiction. 


Finally, let p,q € V be such that d(p,q) = oo. Clearly d*(p,q) < oo by virtue of the 
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artificial arc (p,q). To see that d*(p,q) > N, consider any simple path from p to q. As 
before, this path contains at least one artificial arc, and therefore its total weight is at least 
M plus all negative weights of ,. Using Eq. (5.1), we get that the total weight of the path 
is greater than VN. fj 

We now define the p-graphs a, and a, explicitly. Since their view is given, the events 
and their local times are already fixed; we complete the construction by specifying the now 


mappings of the p-graphs. Let L be a number such that 
L> min {local_time(q) + d*(q, po), local_time(q) — d*(po,q)} - 
q 
For all ¢g € V, we set 


noWa(q) = L + local_time(q) + d*(q, po) 


noWa,(q) = L + local_time(q) — d*(po,¢q) 


(The additional term L guarantees that all now values are positive.) By the construction, 


for all g € V we have 


ba,(¢) = nowa,(q¢) — local_time(q) 


= [+4 (d*(q,po) + local_time(q)) — local_time(q) 


L+d*(q,po) - (5.2) 


Since d*(po, po) = 0, we have that 6,,(po) = L, and therefore 6.,(¢, Po) = baa(¢) — 4bao(Po) = 
d*(q,po). Similarly, we obtain that 6.,(po,q) = —d*(po,q). Therefore, by Claim A, ap» is an 
N-p-graph to pp and a, is an N-p-graph from po. The following claim completes the proof 


of the theorem. 
Claim B. The p-graphs ag and a, defined above satisfy the bounds mapping B. 


Proof of Claim B: By Theorem 5.4, it is sufficient to prove that for all p,q € V, 6.,(p,¢) < 
d(p,q). So let p and q be arbitrary points in the synchronization graph. In what follows, we 


consider , *, the graph defined above. Since d*(p,q) < d(p,q), it is sufficient to prove that 


bao(p.4) < d*(p,q). 


Let R be any shortest path from p to g. Consider the path obtained by following the 
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o 
v 


(a) (b) 


Figure 5-4: Scenarios considered in the proof of Claim B. R is a shortest path from p to q, 
P is a shortest path from po to p, and Q is a shortest path from q to po. 


arcs of & from p to qg, and then the arcs of a shortest path from q to po (see Figure 5-4(a)). 
This path leads from p to po, and hence d*(p,q) + d*(q,po) > d*(p,po). It follows from 
Eq. (5.2) and the definition of relative offsets that 


d*(p,q) > d*(p,po) — d*(q, po) 
be(P) — Sao(4) 


= b4,(Pyq) « 


Le., for all p,q € V, 6.,(p,q) < d*(p,¢), and therefore, by Theorem 5.4, we conclude 
that ao satisfies the given bounds mapping B, as desired. 

The proof for a; is analogous. We consider a shortest path R connecting two arbitrary 
points p and q. To show that its weight d*(p,q) is at least 4(p,q), we look at the path 
depicted in Figure 5-4(b), consisting of a shortest path P from po to p, followed by R. As 
before, we have that d*(po,p) + d(p,q) > d*(po,q), and hence we get 


d"(p,q) > d*(po,9) — d" (pos Pp) 
= —be,(¢) + ba, (p) 


= 4, (pq) 


Therefore, 6.,(p,q) < d*(p,¢q) for all points p,q € V, and applying Theorem 5.4 shows that 
a, satisfies B, as desired. J 


This completes the proof of Theorem 5.5. fj 
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local_time=—1 
now=0 


local_time=—1 —_local_time=1 
now=0 now=1 


local_time=1 
now=2 


local_time=8 
now=9 


local_time=8 local_time=3 
now=9 now=3.5 


local_time=3 
now=8/3 


Figure 5-5: Assuming now(r2) = 9, (a) is a pattern from rz, and (b) is a pattern to ry. 


Example (conclusion). Using the distances calculated above for the synchronization 
eraph of Figure 5-3, we can compute patterns from and to the point rg. Since the definition 
of these patterns only specifies relative offsets, we fix now(r2) = 9 (agreeing with the pattern 
of Figure 5-2 at this point). The resulting pattern from rz is given in Figure 5-5 (a), and 
the resulting pattern to ro is given in Figure 5-5 (b). It is a simple matter to verify that 
both patterns have the view depicted in Figure 5-1, and they satisfy the bounds mapping 
B', One conclusion from these patterns is that an observer located at rz, with access only 
to the view and the bounds mapping, cannot determine the time of occurrence of s,; with 
tightness greater than 7/2 — 8/3 = 5/6 real time units, since both patterns depicted in (a) 


and (b) describe a possible scenario. ff 


5.2 Interpretation in Clock Synchronization Systems 


Theorems 5.4 and 5.5 describe a relation between p-graphs and synchronization graphs. 
In this section we apply these results to executions of clock synchronization systems. In 
other words, in this section we deal with views and patterns of executions of clock synchro- 
nization systems (as defined in Section 3.2.1), instead of abstract v-graphs and p-graphs, 
respectively. We apply, in a straightforward fashion, the theorems of Section 5.1, in con- 
junction with Theorem 3.4, using the natural correspondence (defined in Section 5.1), which 
maps views and patterns to v-graphs and p-graphs, respectively. Before we state and prove 
the (somewhat technical, albeit straightforward) theorems, we make two comments about 
the results. 


1. By our definitions of clock synchronization systems, synchronization graphs can 
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be used under a wide variety of assumptions. In particular, they can be used to model 
executions where messages may be lost, delivered out of order, or duplicated by the com- 
munication links; they can be used to model broadcast channels; they can be used for the 
case of processor and link crashes; and by our definition of bounds mapping, they can also 
be used to model clock drift bounds that may change over time. 

2. The essential assumptions in our analysis are the following. First, if an offset can 
be a value a and a value 6, then it can also be any value in between. This rules out 
scenarios in which the offset might be either a or b (as might be the case for messages 
over framed communication links, or clocks with fixed but unknown rate). Removing this 
assumption will result in a constraint system which is not even a linear program, and cannot 
be represented as distance computation techniques. The second important assumption in 
our analysis is that “patterns satisfy the bounds mapping,” that is to say, the system behaves 
according to its specification. As indicated by Lemma 5.3 (and explained in Chapter 9), 
synchronization graphs are still useful in some limited sense in the case that executions do 
not satisfy the bounds mapping. 

We now proceed with applying the analysis of Section 5.1 to clock synchronization 
systems. We recall that under the natural correspondence, each arc (p,q) in a view is 
replaced by a pair of arcs (p,q) and (q, p) in the corresponding v-graph, and that local time 
attributes, bounds mapping values (and real times in p-graphs) remain unchanged. Under 
the natural correspondence, the notion of offsets that was defined for p-graphs (Def. 5.3) 
applies to executions and patterns of clock synchronization systems. The offset between 


two points p,g in a pattern P is 


dp(p.9) = 6p(p)— 6p(q) 


(nowp(p) — local_timep(p)) — (nowp(q) — local_timep(q)) 


= act_delp(p,q) — virt_delp(p, q) 


It follows that if we know the local times of occurrence of p and q, then bounding the real 
time that elapses between their occurrences is equivalent to bounding é(p,q). This seems 
to capture a useful quantity in any synchronization problem. The theorems in this section 
provide us with a characterization of the bounds on the offset in a pattern with a given view 


and bounds mapping, and hence they are useful in analyzing synchronization problems. 
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First, we state the theorem that is the key in proving correctness of clock synchronization 


algorithms. 


Theorem 5.6 Let V be a view of an execution of a clock synchronization system S, and 
let B be the standard bounds mapping for V. Let , be the synchronization graph generated 
by the v-graph of V and B, and let dp be its distance function. Let P be any pattern with 
view V. Then there exists an execution e' of S whose pattern is P if and only if for any two 


points p,q in P, we have dp(p,q) < dr(p, q)- 


Proof: Suppose first that there exists an execution e’ of S with pattern P, and consider its 
p-graph a. Since by assumption e’ is an execution of S, P satisfies B, and hence a satisfies 
B. Therefore, by Theorem 5.4, for any two points p,q in a, 64(p,q) < dr(p,q), and since 
6a(p, 7) = dp(p,q), we are done in this case. 

Suppose now that for a pattern P with view V, we have ép(p,q) < dp(p, q) for every pair 
of points p,q in P. It follows that in the p-graph a of P, 6.(p,q) < dr(p,¢q) for every pair 
of points p,q. Hence, by Theorem 5.4, a satisfies B, and therefore P satisfies B. Finally, 
since P satisfies the standard bounds B, we may apply Theorem 3.4, and conclude that 
there exists an execution e’ of S whose pattern is P. fj 

Next, we present the theorem we shall use for proving lower bounds on the tightness 
achievable by synchronization algorithms. We first define the notions of N-patterns to and 


from a point. The definition is the equivalent of Def. 5.6 under the natural correspondence. 


Definition 5.7 Let, be a synchronization graph for a view Y, and let P be a pattern with 
view V. Let a be the p-graph for P under the natural correspondence, and let po be a point 
ina. For any N > 0, P is an N-pattern from po if a is an N-p-graph from po, and it is an 


N-pattern to po if a is an N-p-graph to po. 


The following theorem is the application of Theorem 5.5 to clock synchronization systems. 
Intuitively, it says that there exist indistinguishable executions of clock synchronization 
systems, where the offsets between a a given point and any other point are exactly the 
distances in the synchronization graph, and hence any synchronization algorithm must take 


these extreme cases into account. 


Theorem 5.7 Let V be a view of an execution e of a clock synchronization system S (pos- 


sibly including null points), and let B be the standard bounds mapping for V. Let , be the 
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synchronization graph generated by the v-graph of V and by B, and let dp be its distance 
function. Let po be any point in VY. Then for any finite number N > 0, there exist executions 
€9 and e, of S, such that both have view Y, and such that the pattern of e9 is an N-pattern 
to po, and the pattern of e, is an N-pattern from po. Moreover, for each CSA module C,, 


the executions of C, in €9 and in e, are equivalent. 


Proof: First, note that since , is obtained from an execution of S, its pattern P satisfies the 
standard bounds mapping B. From Theorem 5.6 we get that for any two points p,q in P, 
bp(p,q) < dr(p,¢q); in particular, since é6p(p,p) = 0 for all points p, we conclude that there 
are no negative-weight cycles in ,. Hence we can apply Theorem 5.5, and get p-graphs ap 
and a, which are N-patterns to and from po, respectively, such that both satisfy B. Using 
the natural correspondence between VY and its v-graph, we obtain from a» and a, patterns 
Po and P,. Since ag and a, satisfy B, Pp and P, satisfy B too. We can therefore apply 
Theorem 3.4, and the result follows. J 


We also state a variant of Theorem 5.7 used for locality-oriented bounds. 


Theorem 5.8 Let V be a view of an execution e of a clock synchronization system S (pos- 
sibly including null points), and let po be any point in Y. Let B be the standard bounds 
mapping for the local view prune(V, po), and let , be the synchronization graph generated 
by prune(V,po) and B, and let dp be its distance function. Then for any finite number 
N > 0, there exist executions ey and e, of S, such that both have view prune(V, po), and 
such that the pattern of e) is an N-pattern to po, and the pattern of e, is an N-pattern from 


po. Moreover, for each CSA module C,, the executions of C, in €) and in e, are equivalent. 


Proof: By Theorem 3.2, there exists an execution e’ whose view is prune(V,po) and such 


that for each CSA module C,, prune(e 


c,P) = prune(e’|c,,p). The theorem therefore 


follows by applying Theorem 5.7 toe’. Jj 


93 


Summary 


In this chapter we abstracted the notions of views and patterns using the notions of v-graphs 
and p-graphs. We defined the concept of offsets of points in patterns, which captures an 
elementary synchronization problem. Using the bounds mapping, we define the basic tool 
of our analysis, namely the synchronization graphs. Using the offsets, we proved a simple 
characterization of the patterns which have a given view and bounds mapping, in terms 
of distances in the synchronization graph derived from the view and the bounds mapping. 
In particular, our main results in this chapter show that the bounds on synchronization 
obtained by the distances in the synchronization graphs are the best bounds possible, in 
the sense that there exist patterns that have the given view, satisfy the given bounds 
mapping, and meet the distance bounds. 

The concept of synchronization graphs, specialized appropriately, serves as the basis for 
analyzing specific synchronization problems in Chapters 6, 7 and 8. A few simple variants 


of synchronization graphs are described in Chapter 9. 
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Chapter 6 


External Synchronization 


In this chapter we study a particular variant of the synchronization problem, called external 
synchronization. Informally, in the external synchronization problem there is a distinguished 
processor called the source processor, which is equipped with a drift-free clock. The task of 
all other processors is to produce, at all states, an estimate (i.e., an interval) that contains 
the current reading of the source clock. The name is motivated by an implicit assumption 
that the source clock serves as a source of real time in the system. The length of the estimate 
interval is called the tightness of synchronization at that point. 

In this chapter, we obtain a few results for the external synchronization task, using Theo- 
rems 5.6 and 5.8. First, we characterize the achievable tightness of external synchronization 
for any processor at any given time, in terms of distances in the appropriate synchronization 
eraph. The general algorithm we present, which achieves optimal tightness always, is a full 
information protocol, and hence inefficient. By contrast, for the special case of drift-free 
clocks, we present an optimal algorithm which is extremely efficient (and simple). The 
latter algorithm compares favorably to the so-called round-trip technique, used by many 
practical algorithms. In the last section of this chapter, we present the main ideas in the 
round-trip technique, based on NTP (Network Time Protocol, the external synchronization 
protocol used over the Internet [26]).' We also explain why our technique is superior to the 
one used in NTP. 

This chapter is organized as follows. In Section 6.1 we recall the definition of external 


synchronization, and make a few preliminary observations. In Section 6.2 we give lower 


‘We use a simplified version introduced in Section 3.1.5 under the name SNTP. 
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and upper bounds on the tightness of external synchronization in a general system, where 
the non-source clocks have arbitrary drift bounds and arbitrary message latency bounds. 
In Section 6.3 we give an efficient optimal algorithm for systems with drift-free clocks. We 
conclude in Section 6.4 with a description of the round-trip technique, and compare it with 


our algorithm. 


6.1 Problem Statement and Preliminary Observations 


We recall the definition of the external clock synchronization problem. There exists in the 
system a distinguished processor s, called the source processor, whose local clock is drift- 
free. Each CSA module has two output variables, denoted ext_L, and ext_U,. For any given 
state x in an execution of an external synchronization system, let source_time(z) denote 
the local time at the source in x. The correctness requirement for a processor v is that 
in every reachable state z, the output variables satisfy source_time(x) € [eat_L,, ext_U,]. 

The tightness of synchronization at processor v in some state is the difference between the 


output variables in that state: 
O, = ext_U, — ext_L, . 


As a preliminary step in our analysis, we state a general property of drift-free clocks. 


Lemma 6.1 Suppose that processor v has a drift-free clock, and let , = (V,E,w) be a 
synchronization graph obtained from a view of some execution of the system and the standard 


bounds mapping. Then the distance in , between any two points that occur at v is 0. 


Proof: We first claim that for any two adjacent points q,q’ that occur in v, we have 


» = 1; by 


w(q,7) = 0. This follows immediately from definitions: by Def. 2.5, 2, =20 
Def. 3.11, we have B(q,q') = virt_del(q,q')/0, = virt_del(q,q'); and hence, by Def. 5.4, we 
have w(q,q') = B(q,q) — virt_del(q,q') = 0. 

This claim implies that there exists a 0-weight path between any two points occurring at 
v, and hence, for any two points q, q2 that occur at v, we have that d(q.,q2) < 0. Suppose 
now, for the sake of contradiction, that there exists a path P from q, to gz with negative 
weight. Since there exists a a path Q from gq, to q, of weight 0, we conclude that the cycle 


obtained by “gluing” P and Q together has negative weight, contradicting Lemma 5.3. J 
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The meaning of Lemma 6.1 is as follows. Suppose that a processor v has a drift-free 
clock, and let po be any point in the synchronization graph. Then the distance to po from 
any point g that occurs at v, and the distance from pp to any point g that occurs at v 
is independent of the particular choice of g, so long as g occurs at v. In other words, all 
points that occur at a processor whose local clock is drift-free are equivalent for the distance 
function in the synchronization graph. It is convenient to refer in this case to a superpoint 
associated with a drift-free processor v, defined formally to be an arbitrary representative of 
the points that occur at v. From the perspective of patterns, we notice that for a processor 
v whose clock is drift-free, the absolute offsets of all the points that occur at v are the same, 
and hence the notion of relative offset between any point and the superpoint of v is well 
defined. 

The source clock, by definition, is drift-free. Given a synchronization graph of an ex- 
ternal synchronization system, we call the superpoint associated with the source the source 


point, an denote it by sp throughout this chapter. 


6.2. Bounds on the Tightness of External Synchronization 


In this section we prove matching upper and lower bounds on the tightness of algorithms 
for external synchronization. The lower bound is derived from Theorem 5.8, and the upper 
bound follows from Theorem 5.6. 

We start by fixing the scenario and the notation. Throughout this section we are dealing 
with an execution of an external synchronization system; let v be a processor in the system, 
and let a be a state in the execution. We denote T,, = local_time,(x), and denote by p,» 
the point that occurs at v at local time 7,,. (If there is more than one such point, we take 
the last one; if there is no such point, p,, is a null point we introduce.) Further, we denote 
Vi. = prune(V,p,,) , ie., Ve» is the local view of the execution at v at local time T, ,. 
Let B,,, denote the standard bounds mapping for V,,,. We use the synchronization graph 
,cv = (V,E,w) generated by the view graph of V,, and B,,, and denote the distance 
function of ,,,, by dy. Finally, recall that sp denotes the source point of , gy. 

We start with a simple lemma that bounds the local time at the source in state 2, in 
terms of the local time at v, and the distances between p,,, and the source point in the 


corresponding synchronization graph. 
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Lemma 6.2 For all states x and processors v, 


source_time(x) € [Try — deu(SP, Pew), Lev + dev (Prv+ SP)] - 


Proof: Consider the synchronization graph , obtained from the full view and the standard 
bounds mapping of the execution, and let d be the distance function in ,. Since , zy is a 


subgraph of , , we have that for every pair of points p,q in , 2» 


dev (p,q) = dp, 9) (6.1) 


Now, let é be the offset function of the execution, and let T,, = source_time(x). Then we 


have that 


T,, = (Ly. — now(#))- (Tp, — now(%)) + Try 


) ) 


= 6( SP, Pew) + Tr» by definition of é 
€ [To ~ d( Prws sp), Tr,» + d(sp, Pr») by Theorem 5.6 
Cc [Te _ dy y(Prws sp), Tr,» + dy» (SP, Pew )] by Eq. (6.1) 


We now state the lower bound on the tightness of external synchronization. 


Theorem 6.3 Let x be any state in an execution of an external clock synchronization 


system, and let v be any non-source processor. Then in x, 


[ert_L,, ext_U,] - [Tv _ dy (SP, Prv) ; Tr» + dy (Pru, 8P)| : 


Proof: Consider first the case where x occurs before the first action in v. Then clearly in 
z we have [ert_L,, ext_U,] = [—00, oo], and since , ,, does not contain the source point, we 
also have d, (SP, Pew) = drv(Prv, Sp) = 00, and we are done. Assume for the rest of the 
proof that x occurs after the first action of v. 

Suppose that d,(sp, pr) < co and d,.(pr.,5p) < co. By Theorem 5.8 (applied with 
po substituted by p,,), there exist executions e9 and e; such that both have view V,,, 
and such that for e, we have 69(p.., 8p) = —dr»v(Sp, Pr») and for e, we have 6)(p,, sp) = 
dy »(Prv, sp). Let STo and ST, denote the source time when the local time at v is T,, 


in €) and €,, respectively. By definition, we have that ST) = Ty, + 60(Prv, 8p) = Try — 
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d, (SP, Pry), and similarly, ST, = Ty +dy.(Pxv, sp). Moreover, Theorem 5.8 says that the 
basic state of the CSA module at v at local time T,, is the same in the original execution, 
in €) and in e;. Since the output variables of a CSA are part of its basic state component, 


it follows from the correctness requirement for external synchronization that in 2, 


[eat_L,, eat_U,] 2 [Tv ~ d( SP, Pov) 9 Tr» + d(Pxv, 8p) 9 


and the lemma is proven in this case. 

To complete the proof, consider the case that either d, (sp, q) = 00 or dy» (Pry, 4p) = &. 
Suppose, for example, that d,.(sp, ps.) = 00 (the other case is analogous). In this case we 
apply Theorem 5.8 and get that for any N > 0 there exists an execution ey with view V in 
which 6(p,,sp) > N. Therefore, in ey, when the local time at v is T,,, the source time 
is greater than T,,, + N. Since Theorem 5.7 also says that the output of the CSA at v is 
identical for all e,, the correctness requirement implies that in x, ezt_.L, =—o. J 

The following theorem shows that the lower bound on tightness of Theorem 6.3 is an 


upper bound too. 


Theorem 6.4 There exists an external CSA such that for any state x in an execution of 


the clock synchronization system, at any processor v, the output values are 


ext_L, = Tr» —_ dy» (SP, Pov) 


ext_U, = Tr» + dy »(Drus SP) : 


Proof Sketch: The proof consists of the specification of the algorithm. Below, we outline 
a simple algorithm, based on the full information protocol. More specifically, the state of 
the CSA at a processor v describes the complete local view of v at that state. Using the 
standard bounds mapping (assumed to be built into the algorithm), the synchronization 


graph can be computed, and the output values are given by 


ext_L, =  local_time, — d,,(Sp, Pr) (6.2) 


ext_.U, =  local_time, + dyy(Prv,SP) - (6.3) 


The implementation of the algorithm is straightforward: a description of the complete 


current local view (where each point has a unique name) is sent in every message; whenever 
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a message arrives, the view it carries is merged in the natural way with the current local 
view by performing union over the two graphs. A synchronization graph is then constructed 
from the new view and its standard bounds mapping, and the distances from the current 
point to the source point and from the source point to the current point are computed, using 
any single-source shortest paths algorithm for general graphs (see, e.g., [5]). Using these 
distances, the output variables are updated according to Eqs. (6.2, 6.3). To have updated 
output values at all states, the output variables are also modified whenever a time-passage 


action occurs: if the local time is incremented by 6 units, we set 


ext_L, — ext_L, + (6, — 1)/%, (6.4) 


extU, — ext_l,+b1—-e@)/o, . (6.5) 


This completes the description of the algorithm. Let us now explain why is it correct. 
First, we argue that the algorithm describes admissible CSA modules: it has the required 
interface, it has the non-interfering filtering property, it is real-time blind, and its initial 
states are quiescent. To show correctness, we apply an easy induction on the steps of the 
execution that shows that the algorithms maintains, at each point, a description of the local 
view from that point, and therefore the output is correct after each receive event. Consider 
now the synchronization graph at the null point p,, that occurs at v at local time T;,,. Let 
p, be the last receive point that occurs at v before p,,. If pi, does not exist, we are done 
trivially, since both the synchronization distances and the output values are infinite in this 
case. Otherwise, by the definitions we get that there is a single path from p,, to pl, with 
weight virt_del(p,»,p,)(1 — @,)/9,. Similarly, there exists a single path from p, to pr», 
with weight virt_del(p),,p:.)(®, — 1)/0,. Hence, from Eqs. (6.2-6.5) and Lemma 6.2, we 
have that the algorithm is correct. Finally, note that the output values satisfy the theorem 
statement, by the specification of the algorithm and by the fact that its state at any point 


represents the local view at that point. J 


Remarks. 

1. The algorithm above is optimal, as defined in Definition 4.1, i.e., it provides the best 
possible output values at each point. 

2. It is easy to make the algorithm described above more efficient without affecting the 


output. For example, instead of sending the complete view in each message, it suffices to 
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send only incremental changes. Notice that this modification would reduce the communica- 
tion overhead significantly, but would not help to save space for storing state (in fact, more 
space will be needed at the processors). The property of high space requirement is inherent 


to optimal algorithms for general systems, as we show in Chapter 8. 


6.3 An Efficient Algorithm for Drift-Free Clocks 


In this section we restrict our attention to the case where all clocks are drift-free. Making 
this simplifying assumption enables us to derive an extremely efficient algorithm for external 
synchronization that gives optimal tightness. The algorithm is presented in Subsection 6.3.1, 


and analyzed in Subsection 6.3.2. 


6.3.1 The Algorithm 


The complete specification of the algorithm given in Figure 6-1 (non-source processors) 
and Figure 6-2 (source processors). The code lines that are not part of the generic code 
for CSAs are numbered. The idea is as follows. As proved in Lemma 6.1, all the points 
that occur at a processor with a drift-free clock can be thought of as a single superpoint 
for distance computations. Intuitively, our algorithm computes distances in the graph of 
superpoints. Since arc weights in the graph of superpoints may only decrease, we use (two 
independent versions of) the distributed Bellman-Ford algorithm for single-source shortest 
paths computation [4]. 

More specifically, for each link L,,, the CSA at node v maintains estimates for the weight 
of the lightest arcs from the superpoint of w to v in the state variable w(u,v), and of weight 
of the lightest arcs from v to w in state variable w(v,w). To this end, whenever a message 
arrives, the weight of the corresponding arcs in the synchronization graph are computed, 
using a temporary variable v which holds the virtual delay, and the message latency bounds; 
only the minimum estimate is kept (lines 4-6 and 5s-7s). Using these weights, the distances 
to and from the source are computed in the variables d(v,s) and d(s,v), respectively. Lines 
7-8 in are the Bellman-Ford relaxations. In lines 9-10, the output variables are updated. 

In addition, whenever a message is sent to a neighbor, the CSA augments it with the 
current local time, the best known weights for the arcs between them, and the distances to 


and from the source (lines 3 and 4s). 
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The problem specification also requires that the output variables be updated when time 


passes (lines 11-12). 


6.3.2 Correctness and Optimality 


We now prove that the algorithm above is an optimal external CSA. First we state the 


following easy fact. 
Lemma 6.5 The algorithm in Figures 6-1 and 6-2 is an admissible CSA. 
Proof: We verify the following according to Definition 3.2. 

e Clearly, the algorithm has the interface as in Figure 3-5. 


e It is straightforward to see that the algorithm has the non-interfering filtering prop- 
erty: the code is based on the generic CSA of Figure 3-6. 


e It is also easy to see that the algorithm is real-time blind, since the transitions never 
refer to the now component of the state (lines 11-12 are based on the difference in 


local times). 


e Finally, the initial states of the algorithm above are quiescent: no internal or output 


actions are enabled an in initial state, nor in any state reachable by time passage from 


them. ff 


We now turn to the less obvious part, namely proving that the algorithm above is an 


optimal external CSA. Before we start, we introduce the following notion. 


Definition 6.1 Let u,v be two neighbor processors in a clock synchronization system. 
Given a synchronization graph , = (V,E,w), the set W""(, ) is defined to be the set of 


all numbers w(p,q), where p occurs at u, q occurs at v, and (p,q) € EB. 


The key for the optimality of the algorithm is the following lemma. 


Lemma 6.6 Let p be a point in an execution of the system above, and suppose that p occurs 
at processor v. Let, = (V,E,w) be the synchronization graph generated by the local view 
of the execution at p and its standard bounds mapping. Let # and d denote the value of the 
local variables of v at in the state following p. Then the following invariant holds. 


(1) For all neighbors u of v, w(v,u) = min(W°"(, )) and wu, v) = min(W""(, )). 
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Sites: a single non-source site v 
State 


now: non-negative real number, initially 0 

local_time: real number, initially arbitrary 

eat_L: real number, initially —oo 

ext_U: real number, initially oo 

Q;: queue for symbols of %, initially @ 

Qo: queue for symbols of & x R®, initially 0 

active: Boolean flag, initially FALSE 

d,(v,s),dy(s,v): real numbers, initially oo 

w(v,u) and w,(u,v) for each u€ N(v): real numbers, initially oo 


Actions 


Send_Message, (m) 
Eff: enqueue m in Qo 
active — TRUE 


Send_Aug_Message, (m1, m2) 
Pre: my, is at the head of Qo 
My = (local_time, a(v,u), #(u, v), a(v, 5), du(s, v)) 
Eff: remove head of Qo 
if Q, = Q; = 0 then active — FALSE 


Receive_Aug_Message, (my, (local_timey, u(v, U), Fu(%, v), du(s, u), du(t, s))) 


Eff: enqueue m, in Q; 

active <— TRUE 
v —  local_time — local_time,, 

wv,u) — min{H(m)—¥, ty (v,u%), wv, u)} 
wu,v) — min{— am +¥, Wu(u,v), wu, v)} 
d(v,s) <— min { w( (v,u ) + au(u, s), A(v, s)} 
d(s,v) <— min {du( (s ,u) + w(u,v), d(s, v)} 
ext.L <—  local_time — d(s, v) 
ext.U —  local_time + av, s) 


Receive_Message; (m1) 
Pre: my, is at the head of Q; 
Eff: remove head of Q; 
if Q. = Q; = @ then active — FALSE 


Pre: active = FALSE 
b>0 
Eff: now — now +6 
local_time — local_time + 6 
ext_L — ext_L +6 
ext_U — ext. U +6 


(input) 


(output) 


(output) 


(time passage) 


11 
12 


Figure 6-1: Code of optimal CS'A protocol for external synchronization with drift-free clocks: 


a non-source processor. The non-generic code lines are numbered. 
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Sites: the source site s 
State 


now: non-negative real number, initially 0 

local_time: real number, initially arbitrary 

ext_L, eat_U: real number, always equal to local_time 

Q;: queue for symbols of %, initially @ 

Qo: queue for symbols of S x R®, initially 0 

active: Boolean flag, initially FALSE 

du (s,s), d,(s,s): always 0 

w(s,u) and wu, s) for each u € N(s): real numbers, initially co 


Actions 


Send_Message, (m) 
Eff: enqueue m in Qo 
active — TRUE 


Send_Aug_Message, (m1, m2) 
Pre: my, is at the head of Qo 
Mz = (local_time, w(s, uw), wu, 8), 0, 0) 
Eff: remove head of Qo 
if Q, = Q; = 0 then active — FALSE 


Receive_Aug_Message, (my, (local_time, , Wu (s, U), Fu(u, 5), du(s, u), du(u, s))) 


Eff: enqueue m, in Q; 

active TRUE 
local_time — local_time,, 
min{H(m,) — ¥, t,(s, uv), w(s, u)} 
min{—L(m )+¥, wy(u,s), wl, s)} 


& 
as 
Tt tt 


Receive_Message? (m1) 
Pre: my, is at the head of Q; 
Eff: remove head of Q; 
if Qo = Q; = 9 then active — FALSE 


Pre: active = FALSE 
b>0 
Eff: now — now+6 


local_time — localtime + 6 


ls 


2s 
3s 


(input) 


(output) 


As 


(input) 


5s 
6s 
Ts 


(output) 


(time passage) 


Figure 6-2: Code of optimal CS'A protocol for external synchronization with drift-free clocks: 


a source processor. The non-generic code lines are numbered. 
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(2) Let sp be the source point of ,. Then dp(sp,p) = a(s,v), and dp(p, sp) = d(v, s). 


Proof: The lemma is proven by induction on the steps of e, with the initial state as a base 
case. For the base case, we observe that the invariant holds for all processors in the initial 
states of the system by lines 1-2 and 2s-3s of the code, since , is empty then. 

For the inductive step, let p’ be the last event at v before p, or the initial state if no such 
event exists. If p’ is a point, let ,’ = (V’, E’,w’) be the synchronization graph generated 
by the local view of the execution at p’ and its standard bounds mapping, and otherwise 
define ,‘ to be the empty graph. To prove the inductive step, we consider two cases. 

Case 1: p is a send event. In this case, by Def. 5.4, V = V’U{p}, and if, ‘ is not empty, 
then EF = E’U {(p,p'), (p', p)}, wle’) = w'(e’) for all e’ € E’, and by Def. 3.11, w(p,p’) = 
w(p',p) = 0. By the inductive hypothesis, the invariant holds at p’. Hence, W°"%(, ) = 
we'(,’) and W""(,) = W"*(,’). Since by the code, the w variables are unchanged by 
a send event, we have that part (1) of the invariant holds in p. For part (2), note that 
there is only one arc incoming into p, and one arc outgoing from p. Since both arcs have 
weight 0, and since they connect p to p’, it follows that dp(p,po) = dr(p, po), and that 
dr(po,p) = dp(po, p). Again, since the algorithm does not change the value of the d variables 
when a send event occurs, part (2) of the invariant holds in this case. 


Case 2: p is a receive event. Specifically, assume that p is the following event: 
Receive_Aug-Message: (m1, (local_time, #(v, u), Wu, v),d(v, 5), du(s, v))) 


Denote the corresponding send event at u by p”, and let ,” = (V", E”, w”) be the synchro- 
nization graph generated by the local view at p” and the standard bounds mapping. By 
definitions, V = V'UV”" U{p}, and either F = EU E” U{(p, p”), (p", p)} if,’ is empty, or 
B= E'UE"UL(p, vp”), (p", ), (p, p), (o', p)} if,‘ is not empty. The weights are defined by 


w'(e), ife € EB’ 
w'(e), ife € Bb” 
we) =) H(m,) — virt_del(p,p"), if e = (p,p") 
—L(m,) — virt_del(p",p), if e = (p",p) 
0, ife € {(p, p'), (p', p)} 


105 


Figure 6-3: Scenario considered in the proof of Lemma 6.6. R is a shortest path from sp to 
p with last arc (q,p). 


Part (1) of the invariant in this case is proven as follows. By definitions, W"’(, ) = W%(, ")U 
wer’, ") U {w(p, p')}, and We ) = We, ‘) U WmeG 2) U {w(p", p)}- Hence 


mints) init (wer, Nuwe(,)U {Hi (m) — virt-del(p,p"))) 


and 


PT Gan ep esac (Gane Yuw(, \uU{-L(m) - virt-del(p", p)} ) . 


which, according to the inductive hypothesis applied to p’ and p”, is exactly the calculation 
in lines 4-6 and 5s-7s. This proves part (1) of the invariant. 

For the second part of the invariant, let us prove that d(s,v) = dp(sp,p). The claim is 
trivial for v = s, according to line 2s. So suppose v # s. Consider a shortest path from sp 
to p that contains no cycles. This is possible since by Lemma 5.3, all cycles in , have non- 
negative weight. Focus on the last arc of the path in question, i.e., the arc that leads to p 
(see Figure 6-3). Denote this arc (q,p), where ¢ € {p’, p”}, and let , * be the synchronization 
graph at q. By the choice of ¢, dp(sp, p) = dr(sp,q) + w(q, p). By the induction hypothesis, 
we have that at qg, the d variables are equal to the corresponding distances in ,*. Also, 
we have that after line 7, wW(v,u) = min(W°"(, )) and W(u,v) = min(W""(, )). Therefore, 
by Line 9 of the code, it suffices to prove that dp(sp,q) = dp«(sp,q). We do this in two 


* 


steps. First, notice that dp(sp,q) < dp+(sp,q) since , * is a subgraph of ,. Next we argue 
that dr(sp,q) > dr«(sp,q) by contradiction: suppose that dp(sp,q) < dp+(sp,q). Then 
all shortest paths from sp to g in , are shorter than the shortest path from sp to q in , * 
Consider such a shortest path which is simple (this is possible since , has no negative-weight 
cycles). This path must end with the arc (p,q), or otherwise it is completely contained in , *. 
It follows that the shortest path from sp to p goes through p, g, and back to p (see Figure 
6-3), a contradiction to the choice of the path as simple. Therefore, dp(sp,q) > dr+(sp, q), 


and we conclude that dp(sp,q) = dp«(sp, q). 
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To show that d(v,s) = dp(p, sp), we repeat the symmetrical argument for the first arc 
of a simple shortest path from p to sp, and use line 8 of the code instead of line 9. Jj 


We can now prove the optimality of the algorithm. 


Theorem 6.7 The CSA algorithm in Figure 6-1 and Figure 6-2 is an optimal algorithm 
(in the sense of Def. 4.1) for all external synchronization environments, where all clocks 


are drift-free. 


Proof: Clearly, the algorithm may be composed with any environment of external 
synchronization, where all clocks are drift-free. Consider any state « of an execution of the 
algorithm, let v be any processor, and let T,,,, = local_time,(x). Let , be the 
synchronization graph generated by the local view of v at time T,,, and the standard 
bounds mapping. Denote the null point in , that occurs at v at local time T,, by poy. 
Let p’ be the last point that occurs at v before p,,, and let ,' be the synchronization 


eraph generated by the local view at p’ and the standard bounds mapping. By Lemma 


6.1, dp (Pr, SP) = dy (p’, sp), and dp( sp, Pr wv) = dy.(sp, p’). Hence 


source_time(a) € [Ty — dp( sp, pow), Tro + dr(pe,v» SP)] by Lemma 6.2 
= [ext_L, ext_U] by lines 9-12 and Lemma 
6.6 


This means that the algorithm is correct. The optimality of the algorithm follows imme- 


diately from the lower bound of Theorem 6.3. Jj 


6.4 The Round-Trip Technique 


It may be interesting at this point to compare our analysis and algorithms with the com- 
mon clock synchronization technique known as “round-trip probes.” For concreteness, we 
take the external synchronization system NTP (Network Time Protocol, the clock synchro- 
nization algorithm used over the Internet [26]) as our prime source for this technique. We 
consider here a simplified variant of NTP, called SNTP, that was introduced in Section 
3.1.5. In the SNTP system, we have only two processors with drift-free clocks, connected 
by perfect asynchronous links. We denote the source processor by s, and the non-source 


processor by v. SNTP is rigorously defined in Section 3.1.5, with a technique for a single 
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(a) (b) (c) 


q 
q 
we local time = LT, ? 
P q’ 
local time = LT, 
p 
q 
local time = LT; p’ q’ p’ 
_ local time = LT, 
S v s v s 


Figure 6-4: Reproduction of Fig. 3-7. (a) A typical round trip technique. (b) m is in transit 
TT time units. (c) m' is in transit TT time units. 


round trip. In this section, we extend the presentation to multiple round-trips, and focus 
on the way their results are combined. Let us recall briefly the main ideas. 

Periodically, v sends a message to s, which in turn responds by sending a message back 
to v (hence the name “round trip”). Consider the round trip depicted in Figure 6-4(a), 
where v sends a message m to s, and s responds by sending m’ to v. Let TT denote the 
total transit time of m and m’. The bounds on the source time are obtained by considering 
two extreme scenarios, in which on message is in transit 77 time units and the other is 
delivered instantaneously (Figure 6-4 (b,c)). Skipping the details (they can be found in 
Section 3.1.5), we remark that the bounds generated by the CSA module at v at point q’ 
are 


[eat_L, ext_U] =[LT;, LT3+TT]. 


Clearly, the tightness of the synchronization thus computed is exactly the total transit 
time. In other words, the faster the messages are delivered, the better synchronization is 
achieved. This fact leads the designers of NTP to the following conclusion: when there 
are many round trips, the one with the least total transit time is chosen as best, and its 
corresponding bounds are output. Specifically, whenever a round trip is completed, its total 
transit time is compared against the current tightness; if the current tightness is better (i.e., 
smaller), that round trip is discarded, and otherwise, the bounds obtained by that round- 
trip replace the current values of the output variables. The formal specification of the CSA 


at v for multiple round-trips is given in Figure 6-5 (note the “if then” clause in the effect 
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of the Receive_Aug_Message action). The code for the source processor is identical to the 
case of a single round-trip (see Figure 3-9). 

Let us now consider the behavior of the algorithm described in Section 6.3 for this toy 
environment. Note that the patterns generated by the environment of SNTP are a subset of 
the patterns generated by the general environment described in Section 3.1, and therefore 
it makes sense to consider the CSAs of Section 6.3 in the context of the environment of 
SNTP. 

Our first remark regards the single round-trip scenario depicted in Figure 6-4 (a). Us- 
ing Definitions 3.11 and 5.4, we get that the synchronization graph corresponding to this 
scenario is the one depicted in Figure 6-6. It is straightforward to verify that the extreme 
scenarios depicted in Figure 3-7 (b,c) are, in fact, the executions whose existence is guaran- 
teed by Theorem 5.8 for this view and bounds mapping. As a consequence, the output of 
the algorithm of Section 6.3, and the bounds computed by SNTP are identical in this case. 

However, in a scenario that consists of more than a single round-trip, the algorithm of 
Section 6.3 may do much better. By computing the distances in the synchronization graph, 
our algorithm in effect finds the fastest message delivered over the link in each direction 
independently, while SNTP finds the best round-trip using a pre-specified matching of the 
messages into pairs. 

Let us consider a concrete example. In Figure 6-7 (a) we have a diagram of a two- 
round-trip scenario. Suppose that the total transit time of the first round-trip is smaller 


than the one in the second, ie., let TT, = (LT, — LT,) — (LT3 — LT), let TT, = (LTs — 


LTs) — (LT; — LT.), and assume TT, < TT . In this case, the tightness of synchronization 
produced by SNTP after the scenario is 775. By contrast, the algorithm of Section 6.3 
finds the best possible round trip in the execution: in our example, the picture suggests 


that TT* = (LT; — LT,) — (LT; — LT) is the best choice, and in particular, T7T* < TT;. 


Notice that 77* may be arbitrarily smaller than 77, and hence the local competitive factor 
of SNTP cannot be bounded even in this simple case. 

Intuitively, the round-trip technique used by NTP is handicapped since it potentially 
pairs a “good” message in one direction with a “bad” message in the other direction. We 
remark that in the case of a system of more than one link, the pairing of good and bad 
messages may be even more severe: consider the set of messages used to establish the bounds 


of the output variables. These messages correspond to paths (in the synchronization graph) 
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Sites: a single site v 


State 


now: non-negative real number, initially 0 
local_time: real number, initially arbitrary 
eat_L: real number, initially —oo 

ext_U: real number, initially oo 

Q;: queue for symbols of %, initially @ 

Qo: queue for symbols of & x R?, initially 0 
active: Boolean flag, initially FALSE 

LT: a real number, initially undefined 


Actions 


Send_Message, (m) 
Eff: enqueue m in Qo 
active — TRUE 
LT, <— local_time 


Send_Aug_Message,, (m1, 0, 0) 
Pre: my, is at the head of Qo 
Eff: remove head of Qo 
if Q, = Q; = 0 then active — FALSE 


Receive_Aug_Message, (m1, (LT2, LT3)) 
Eff: enqueue m, in Q; 
active — TRUE 
LT — local_time 


TT — (LT; — LT,) — (LT3 — LT») 
if TT < (ert_U — ext_L) then 
ert_L — LTs 


ext_.U — LT34+7T 


Receive_Message,, (m1) 


(input) 


(output) 


(input) 


(output) 


(time passage) 


Pre: my, is at the head of Q; 
Eff: remove head of Q; 
if Q, = Q; = 0 then active — FALSE 
Vy: 
Pre active = FALSE 
b> 0 
Eff: now — now +6 


local_time — localtime + 6 
ext_L — ext_L +6 
ext_.U — ext_U +6 


Figure 6-5: Code of the CSA module in SNTP for processor v (the best round-trip is chosen). 
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Figure 6-6: The synchronization graph corresponding to the scenario in Fig. 6-4 (a), as- 
suming that the clocks are drift-free and that transmission time of the messages are can be 
any value between 0 and oo. 


Figure 6-7: A time space diagram of two round trips is given in (a), with local times of the 
points. SNTP chooses the round trip with the smallest total transit time (enclosed in the 
dashed frame in (a)). For the same scenario, the algorithm of Section 6.3 implicitly chooses 
the best message in each direction independently, and in effect finds the best possible round 
trip (dashed arrows in (b)). The corresponding synchronization graph is given in (c), where 
the lightest arcs connecting points of s and v are boldfaced. 
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to and from the source. The round trip technique forces both paths to be over the same 
physical links, i.e., the messages used in one direction must be transmitted over the same 
links over which the messages used in the other direction were transmitted. Our algorithm, 
by contrast, chooses messages independently for each direction, and it may well be the case 
that the set of messages used to establish a lower bound are transmitted over different links 


over which the messages used for the upper bound were transmitted. 
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Summary 


In this chapter we defined and analyzed the external clock synchronization problem. In 
this problem, a distinguished source processor is assumed to have a drift-free clock, and the 
task of all processors is to keep updated bounds on the current value of the source clock. 
Using synchronization graphs, we derived matching lower and upper bounds on external 
synchronization in general systems, where the clocks of non-source processors may have 
arbitrary drift bounds and messages may have arbitrary latency bounds. 

The algorithm used for the upper bound is a full information protocol, and therefore 
it is inefficient. By contrast, we presented an extremely efficient algorithm for the case of 
drift-free clocks. The latter algorithm is based on the observation that all points associated 
with a drift free clock in the synchronization graph can be collapsed into a single superpoint, 
and thus it is sufficient to compute distances between superpoints. 

We have also examined the popular technique of round trips. Using a toy system based 
on NTP, we showed that for a single round trip this technique yields the same result as our 
algorithm. In a multiple round-trip scenario, however, the output of our algorithm will be 


usually better. 
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Chapter 7 


Internal Synchronization 


In this chapter we prove a lower bound on the tightness of another variant of clock synchro- 
nization, called internal clock synchronization [6]. The goal of internal synchronization is 
that all processors generate a “tick,” called fire below, such that all fire steps occur in the 
smallest possible interval of real time. An algorithm for internal synchronization is required 
to provide bounds on the length of this real time interval, and the smallest difference in an 
execution is the internal tightness of that execution. 

The task of internal synchronization has been the target of considerable research (see, 
e.g., [19, 7, 13, 3] and the survey [31]). However, to the best of our knowledge, the only 
known non-trivial lower bounds for internal tightness were for the case of drift-free clocks. 
In this chapter, based on synchronization graphs, we give a lower bound for the internal 
tightness in a synchronization system with bounded-drift clocks. We remark that the lower 
bound presented in this chapter is based on views, rather than local views: lower bounds 
that hold for a given view hold a fortiori for its local views. 

This chapter is organized as follows. In Section 7.1 we define internal clock synchroniza- 


tion formally, and in Section 7.2 we present the lower bound. 


7.1 Definition of Internal Synchronization 


In this section we recall our definition of internal synchronization (see Section 4.1). An 
internal clock synchronization system is a clock synchronization system, where each CSA 


module has a special internal action called fire.! The correctness requirement of the internal 


'The fire action is internal so as to keep the interface of CSAs standard (see Figure 3-5). 
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synchronization task is that 
(1) each processor v takes a fire, action exactly once during an execution of the system, 


and 


(2) the CSA at each processor v maintains output variables called int_L, and int_U,, 
such that at all states, the real time interval [now(fire, ) + int_L,, now(fire,) + int_U,| 
contains all the fire events in the execution. 

The internal tightness of an execution of an internal synchronization system at a processor 
v, denoted tightness,(e), is the infimum over the difference (int_U, — int_L,) in all states 
of the execution. 

Intuitively, the fire actions represent the event of resetting some logical clock maintained 
by the CSAs; the output variables express the synchronization guarantee made by the CSA. 
By the properties of CSAs (specifically, their real-time blindness and their quiescent initial 
states), one can show that their initial values must be int_L = —oo and int_U = oo; as the 
execution progresses, the CSA modules gather information about the occurrence of remote 


fire actions that may enable them to reduce the difference between their output values. 


7.1.1. Discussion 


Intuitively, the motivation for internal synchronization is to maintain some clock variables 
in each processor, such that their values are as close as possible. This requirement alone 
is not sufficient, since it allows for the trivial solution where all clock variables always 
have the same fixed value (say, 0). Dolev et al. discuss this issue in depth [7]. In [19], this 
difficulty is avoided as follows. Each processor v is assumed to have a special output variable 
denoted CORR, ; the tightness is measured as the maximal difference between the values 
of local_time, + CORR,, over all processors v. To rule out the trivial solution of setting 
CORR, = —local_time,, in [19] the executions of synchronization algorithms are required 
to be finite, i.e., at some point the algorithm enters a terminating state, after which the 
CORR variable is fixed. The tightness is defined to be the maximal difference between the 
local_time, + CORR, values, measured only when the algorithm is in a final state. 

In [13], the difficulty of problem definition is solved differently: each processor is required 
to flip a special internal bit during the execution of the algorithm; the tightness is defined 
to be the maximal difference in real time between two remote bit flips. We adopted this 


definition (the bit flip is equivalent to our fire action), and added the output variables for 
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ease of exposition. 


7.2. A Lower Bound on Internal Tightness 


In this section we derive a lower bound on the tightness of internal synchronization in 
general systems with bounded-drift clocks. To state the result, we define the following 
graph-theoretic concept. Recall that for a path @ in a weighted graph, w(@) denotes the 


sum of the weights of arcs in 6, and let |6| denote the number of arcs in @. 


Definition 7.1 Let G = (V,E,w) be a weighted directed graph. The maximum cycle mean 
of G, denoted mcm(G), is the maximum average weight of an edge in a directed cycle of G. 


That is, mcm(G) = max {w(@)/|6@| : @ is a directed cycle of G}. 


We remark that the maximum cycle mean can be computed in polynomial time [14]. 

To analyze internal synchronization systems, the definition of patterns and views is 
extended so that the fire steps are points with the usual attributes (i.e., processor of oc- 
currence, local time of occurrence, and for patters, real time of occurrence). We extend 
the standard bounds mapping too, using Def. 3.11. Synchronization graphs for internal 
synchronization systems are thus also naturally defined. It turns out that the following 


derivative of synchronization graphs is useful for the analysis of internal synchronization. 


Definition 7.2 Given a synchronization graph , = (V,E,w) of an internal clock syn- 
chronization system, the internal synchronization graph is a directed, weighted graph , = 
(V,E,@), where the set of points V consists of all the fire points in V; there is an are 
in E between every pair of points of V; and W(fire,, fire,) = dp(fire,, fire,) for each 
(fire, , fire,) € E. 


We can now state and prove the lower bound. 


Theorem 7.1 Let e be an execution of an internal clock synchronization system, and let 
, be the internal synchronization graph generated by the view of e and the standard bounds 
mapping. Then tightness,(e) > mcm(, ) for all processors v. 

Proof: Suppose first that mcm(, ) = co. Then, by the definition of ,, there are some 


processors u,v with dp(fire,, fire) = co. Hence, by Theorem 5.7, for any N > 0 there 
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exists an execution ey, in which 6é(fire,, fire,) > N. Moreover, since the output variables 
are part of the basic component of the state of CSAs, we have from Theorem 5.7 that the 
set of output values of the CSA at v are identical in all the ey. Let act_dely denote the 
actual delay function in ey. Since for any two points in any execution we have é6(p,q) = 
act_del(p, q) — virt_del(p, q), and since virt_del( fire, , fire,,) is fixed (it is a part of the view of 
e), it follows that the set of numbers {act_del.,,(fire,, fire,) : N > 0} cannot be bounded. 
Therefore, by the correctness requirement for internal CSAs, we must have tightness,(e) = 
oo for all processors v, and the theorem holds in this case. 

Consider now the case where mcm(, ) < oo. Let 6 = (po, pi, -- -,Pje| = Po) be an arbitrary 


directed cycle in ,. Fix an arbitrary processor v. By Theorem 5.7, for each 1 < i < |6|, 


there exists an execution e; with offset function 6;, such that 


4;(Di-1, Pi) = W(pi-1, Di) - (7.1) 


Theorem 5.7 also says that the set of output values at v (being part of the basic state of 


the CSA at v), is the same in e and all the e;. We therefore have that for each 2, 


tightness,(e) = tightness, (e;) 
> now, (pi-1) — now.,(pi) correctness requirement 
= 6;(pi-1, pi) + virt_del(p;_1, p;) by definition of offset 
= W(pi-1,pi) + virt_del(p;_1, p;) by Eq. (7.1) 


Summing the above over all 7, we get 


|| || 
|@| - tightness(e) > YS" W(pi-1, i) + S- virt_del(p;_1, pi) 
t=1 t=1 
|| || 
(pi-15 Pi) + S “(local_time(p;-1) — local_time(p;)) 


i=l t=1 


l| 
S| 


because the second sum is cyclic. In other words, for any processor v, tightness,(e) > 
w()/|@|. Since @ was an arbitrary cycle in , , we conclude that tightness,(e) > mcm(, ), as 


desired. ff 


117 


Theorem 7.1 coincides with known results for the special case of systems with drift-free 
clocks. For example, Lundelius and Lynch [19] considered a system of n processors, where 
the underlying communication graph is complete, and the latency bounds of all messages 
are finite and identical (say upper bound H and lower bound L). The corresponding syn- 
chronization graph consists of n points (one per processor), and between each pair of points 
p,q there are arcs (p,q) and (q, p) with weights satisfying w(p,q)+w(q,p) = H —L. It can 
be shown that for these graphs, the maximum cycle mean is (H — L)(n—1)/n, which is the 
lower bound proved in [19]. 

Halpern, Megiddo and Munshi [13] extended the result of [19] to the case where the 
underlying graph of the system is not complete, and the latency bounds for each link may 
be different (i.e., there are different H and L for each link). Again, their lower bound can be 
viewed as showing that the worst possible scenario under the given constraints is bounded 
by the maximal cycle mean in the corresponding synchronization graph. 

Attiya, Herzberg and Rajsbaum [3] refined the results of [13] to hold for each execution 
of the system, rather than for the worst possible executions. Theorem 7.1 generalizes the 
result of [3] to the case of bounded-drift clocks. Our result generalizes the previous bounds 


also to the case where the latency bounds may be different for each individual message. 
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Summary 


In this chapter we discussed the internal clock synchronization problem. Formally, based 
on the definition of [13]. Using synchronization graphs, we presented a new lower bound 
for internal synchronization for system over systems with drifting clocks. This lower bound 
generalizes known lower bounds for systems with drift-free clocks to the general case of 


bounded-drift clocks. 
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Chapter 8 


The Space Complexity of Optimal 


Synchronization 


Call a synchronization algorithm general if it works for all possible environments as defined 
in Section 3.1, i.e., for all possible views, all possible message latency bounds, and all possible 
clock drift bounds. (For example, the full information protocol used in the proof of Theorem 
6.4 is a general algorithm for external synchronization, whereas the algorithm described in 
Section 6.3 is not general, since it works only for drift-free clocks.) In this chapter we 
provide strong evidence that suggest that a general CSA for external synchronization which 
is optimal must be inefficient, or more specifically, such an algorithm cannot have bounded 
space complexity. 

Recall that in external clock synchronization systems, the CSAs are required to compute 
bounds on the current reading of some designated drift-free clock called the source clock 
(see Section 4.1 for the full definition). In this chapter, we prove that for a certain reason- 
able computational model, there exist scenarios in which the space complexity required to 
compute optimal output cannot be bounded. The result is obtained in a small system (four 
processors, two of which have drift-free clocks). 

The first problem in formalizing a space lower bound is that our model allows for real 
numbers: a real number can be used to encode an unbounded amount of information. Our 
strategy to get around this difficulty is to bound from below the number of “control bits” 
required to run the program, where we disallow fiddling with the input values. 


The moral of the result presented in this chapter is that one cannot have a synchro- 
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nization algorithm which is simultaneously optimal, general, and efficient. An algorithm 
designer must decide which of the three is to be sacrificed. We remark that as a by-product, 
this chapter indicates that the inefficiency of the algorithm used in the proof of Theorem 
6.4 was, in a certain sense, unavoidable, since that algorithm is both general and optimal. 

The remainder of the chapter is organized as follows. In Section 8.1 we describe the 
computational model in the context of CSAs, and in Section 8.2 we give the space lower 


bound proof. 


8.1 The Computational Model 


The model we use for computations of CSAs is a particular kind of the computation tree 


model. First, we define the following algebraic concept. 


Definition 8.1 A special linear form for a set X = {21,...,2y} is a sequence of N in- 
tegers f = (1,...,¢n). The value of f under the assignment 4, = a),...,0n = ay is 
f(ay,...,an~) = TN, eja;, where a; € RU {-0, }.! Ifb = flay,...,any) for some special 


linear form f, then 6 is said to be a special linear combination of a,,...,an. 


We have the following simple lemma. 


Lemma 8.1 /f 6 is a special linear combination of a,,...,any, and for eachi = 1,...,N 
we have that a; is a special linear combination of aj,,...,a:K,, then b is a special linear 
combination of d11,.--5G1K,y+++ 5 ON15++- ONKy- 


. N : : . Ki 
Proof: Since b = 5°;_, ¢;a; for some integers ¢;, and since for each 2 we have a; = jal C55 i; 5 


for some integers ¢;;, we can write 6 as the special linear combination 
b= eye ayy +e + rR Gin, $77 + eweniG@ni +++++enencyanky Fi 


We now define the computational model. For simplicity of presentation, we present 
below a model for deterministic CSAs; the extension to non-deterministic CSAs is straight- 
forward. A program for a CSA module is specified by a directed labeled tree, where the 
root of the tree is called the start node, and the edges are directed away from the start 


We use the conventions that for any finte number r, r+ 0o =~, r—-cw =—0co,0-w=0- (—co) = 0, 
and co — oo is undefined. 
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node. Intuitively, nodes represent control configurations of the program, and executions of 
the program proceed by following a directed path in the tree, starting at the start node. 
Formally, let us call the nodes at even distance from the start node even nodes, and nodes 
at odd distance from the start node odd nodes. The subtree of depth two rooted at each odd 
node corresponds to an input action followed by an output action of the CSA, as dictated 
by the non-interfering filtering condition. Specifically, we define the node labels as follows 


(see Figure 8-1 for an example the first three layers of a program tree). 


e Each odd node is labeled by an input action name and input variables, where the 
input variables contain the local time and bounds mapping values (specified later); 
we call these variables local variables. If the action is Receive_Aug_Message(m, m’), 
there are also message variables, which correspond to values in m’. We require that 


for each even node, there is exactly one child node for any possible input action. 


e Each even node, except for the start node, is labeled by an output action name, a 


computation predicate, and some output forms according to the following rules. 


— The output action of an odd node corresponds to the input action of its par- 
ent in the tree according to the non-interfering filtering property, i.e., if the 
action of the parent is Send_Message(m), then all its children nodes have an 
action of the type Send_Aug_Message(m, m’), and if the action of the parent is 


Receive_Aug_Message(m,m’), then the action of all its children is Receive_Message(m). 


— For an even node p in the tree, let X(p) denote the set of input variables in 
labels on the path from the start node to p. The computation predicate of p is 
an arbitrary predicate over X(p), and the output forms associated with p are 


special linear forms for X(p). 


For each even node q, for any possible assignment of values to X(q), we require that 


there is exactly one computation predicate among its children that evaluates to TRUE. 


An execution of the CSA in this model proceeds by moving a “token” (which represents 
the current control configuration) along the tree according the labels in the following way. 
Initially, the token is placed at the start node. Whenever an input action occurs, the token 
is moved down the tree to the odd node whose label matches the input action name. In 


addition, the input variables associated with the odd node are instantiated. Next, an even 
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start node 


action name: 
Receive_Aug_Message(m.<a,b,c>) 

input variables: 

{local_time, B(p,q), B(q,p), a, b, c} 


action name: 
Send_Message(m) 

input variables: 
{local_time} 


action name: 
Send_Aug_Message(m.<x,y>) 
computation predicate: 
TRUE 


output forms: action name: action_name: 
ext_U := local_time Receive_Message(m) Receive_Message(m) 
ext_L :=0_ computation predicate: computation predicate: 
Xs local_time a-b < local_time a-b >= local_time 
y= output forms: output forms: 
ext_U:=c ext_Ui=a 
ext_L := local_time-—c ext_L := local_time—a 


Figure 8-1: The first three layers of a program: an example. The odd nodes are labeled by 
input action names and input variables, and the nodes at depth 2 are labeled by an output 
action name, a computation predicate and output forms. 


node down the tree is selected by choosing the node whose computation predicate evaluates 
to TRUE under the current assignment of the input values. The outcome of the predicates 
is well defined, as all their variables are instantiated at this stage. The output values are 
defined by instantiating the output forms associated with the chosen even node. 

Let us now be more specific about the input variables and the output values of a program 
fora CSA. The input variables associated with an odd node, which in turn corresponds to an 
input step p, always include local_time(p), and the values of the standard bounds mapping 
of all the pairs (p,q) and (q,p), for all points g which are adjacent to p in the local view 
from p (if there are any). In addition, if p is a receive point, then the input also contains 
all the values that arrive in the incoming message. We restrict the message alphabet used 
by CSAs to be strings of R U {—oo,0o}. The output forms associated with an even node 
which corresponds to a point p always contain forms for the mandatory output variables 
(i.e., eat_L and ext_U); if p happens to be a send point, then there is an output form 
corresponding to each value to be sent in the outgoing message. The output values of the 
CSA, at any state of the execution, are generated by instantiating the last output forms by 
the input values. 

When time passage occurs, the local time and bounds mapping values are updated. 
Since these values may appear in the output forms for ext_L and ext_U, the output values 


are potentially updated as well. This completes the description of the way CSAs work in 
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our model. 

For lower bound purposes, we define the space complexity of a program in our model to 
be the logarithm to base 2 of the maximal degree of a node in the tree. We argue that this 
measure is certainly a lower bound on the number of bits required to distinguish among 
the different possible branches the program may take. We remark that in our proof, the 
lower bound is derived for the odd nodes, i.e., the number of possible output responses for 
an input. 

Before we go into the lower bound proof, we state an important property of our model. 


First, we define the following concept. 


Definition 8.2 Let p be a point in a view V of an execution of a clock synchronization 
system. The values in the local view of p is the set of all local times of points in the local 


view prune(V,p), and all the bound mapping values for arcs prune(V,p). 


The important property of values in a local view of a point is that they “span” all 


possible outputs at that point, as stated in the following lemma. 


Lemma 8.2 Any output value of a CSA at a point p in an execution of the system is a 


special linear combination of the values in the local view of p. 


Proof: By induction on the points in the view, sorted by their order of occurrence in the 
execution. The lemma is clearly true in the first step of the execution in the system: the 
only input value at that point is the local time of occurrence, and by definitions, the output 
value is just a special linear combination of its input values. 

Assume now that the lemma holds at all points p,,...,p, of the execution, and consider 
the point py 1. By Lemma 8.1, it is sufficient to show that the input values are special 
linear combination of values in the local view of pri. If pa41 is not the first action at the 
processor, let p; be the previous action at the processor, and let p; be undefined otherwise. 
We distinguish between two cases. 

Case 1: Py4, is a send point. In this case, by our model definitions, the input values 
at Py4i are local_time(pp41), and if p; is defined, the input also contain the values of the 
standard bounds mapping for (pn41,p;) and (p;,Pn41i). Trivially, all these values are special 
linear combinations of values in the local view of ppij. 

Case 2: Py41 18 a receive point. Let p; denote the corresponding send point in the 


execution. The input values in this case are the local time of occurrence of py+1, the 
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appropriate bounds mapping values, and the values that arrive in the incoming message. 
Since a send point always occurs before the corresponding receive point, we have that 
t<n-+441, and by definition, we also have that the local view of p; is contained in the local 
view of Py41- By the inductive hypothesis, the values that arrive in a message are special 
linear combinations of values in the local view of p;, and hence they are also special linear 


combinations of values in the local view of p,4,. This completes the inductive step. JJ 


8.2. The Space Lower Bound 


In this section we prove a lower bound on external synchronization in the model defined in 


previous sections. We shall use the following simple lemma. 


Definition 8.3 A function F: Dt R is said to be covered by a collection of functions F 
if for all x € D there exists a function f € F such that F(a) = f(2). 


Lemma 8.3 Let %,...,Ty € R% be such that for any T = (@a,...,tin) and T; = 
(@j1,..-,2jn) we have that if xj, # vj, then x, — xj, is an integer. Let F be a function 
such that F(%;) — F(Z;) is an integer only ifi = 7. If F is a collection of special linear 
forms covering F’, then |F| > M. 


Proof: By contradiction. If |F| < M and F covers F’, then for some f € F andi #j, we 
have that f(%;) = F(%;) and f(%;) = F(z). Denote f = (c1,...,¢n), B = (@i,.--, Lin) 
and F; = (aj1,...,2j;n). Suppose, w.l.o.g, that 2; —2)1,...,¢i« — tx are all integers, and 


that %;, = 2;, forn = K +1,...,N. Then 


N N 
= ) Cintin — ) Cintin 
n= nol 
N 
= ) Cin(@in Lin) 
n= 
K 
= 5 Cin(@in Lin) 9 
n= 


which is an integer, contradicting the assumption that F(Z;) — F(%;) is not an integer for 


i#j. I 
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We now turn to prove a lower bound on the space complexity of optimal CSAs in our 
computational model. To simplify presentation, we focus below on the output variable 
ert_L. 

Consider an execution of an external synchronization system, and let , be the syn- 
chronization graph generated by the local view of the execution at some point p and the 
standard bounds mapping. From Theorem 6.4, we know that the optimal value for ext_L 
at point p is precisely local_time(p) — d(sp,p), where sp is the source point of , , and d is 
the distance function of ,. The lower bound is proven by showing that unbounded space is 
required to compute d(sp, p) for a point p in a certain scenario. 

Specifically, we consider a system whose underlying graph is a line of four processors 
denoted s,u,v,w (see Figure 8-2 (a)). Processor s is the source processor; processors w 
and v have drifting clocks, and the clock at w is drift-free. We concentrate on the CSA 
at w. As mentioned above, the optimal value of ext_L at a point p of the execution is 
local_time(p) — d(sp,p). Since local_time(p) is an input variable at p, the task we consider 
reduces, at each point p, to the computation of d(sp, p). 

The following key lemma describes a scenario in which a single local view may have 
many different extensions, depending on the message that arrives next. The output for 
each possible extension must be different; the special properties of the input variables at 


the receive point are used later to prove the space lower bound. 


Lemma 8.4 For any integer M > 0 there exist M executions €,,...,€;¢ with views V,,..., Vu 
and synchronization graphs ,1,...,, u, respectively, and a receive point p that occurs at w, 
such that 


1) p is common to all views. 
2) The local views of Vi,...,Vy_ at w are identical before p occurs. 


3) All values in the message that arrive at p are integers. 


4) For eachi=1,...,M, the distance between sp and p in ,; is 1/(@+1). 


Proof: We construct the views, and specify the weights of the arcs in corresponding syn- 
chronization graphs as we go. In our construction, all arc weights are non-negative, and 
hence there are no negative-weight cycles in all the synchronization graphs we define. There- 


fore, the proof is completed by observing that by Theorem 5.7, for each 2 there exists an 
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V1 V1 
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w3 
m 
m’ 
P 


(b) (c) 


Figure 8-2: (a) System structure for the proof of Lemma 8.4. Processor s is the source, 
and processor w also has a drift-free clock. (b,c) An example for graphs constructed in the 
proof of Lemma 8.4 with M = 3. In (b), the local view at w before p (shared by all V;) is 
illustrated (the messages from v are known to be sent). In (c), the local view at w after p 
is illustrated: in V;, the selector message is received at point u;. 


execution e; with view V;, such that e; satisfies the bounds mapping derived from , ; and 
Y;. 

It remains to define the views and the bounds mapping. We do it as follows (see 
Figure 8-2 (c)). In all views Y; for i = 1,...,M, there are M messages from processor 
v to processor u, with distinct send points denoted v,,...,v,¢, and distinct receive points 
denoted u,,..., tz, respectively. The bounds mapping is such that in all the ,; we have 
w(0g, Ux) = 0, w(Ue, ve) = Llfork =1,...M, and w(x, Vegi) = w(ve41, Ve) = WUE, Ung) = 
wW(tegi, Ue) = 1 for k = 1,...,M— 1. Also, in all views V; there are M messages sent 
from v to u with send points denoted v,,...,v,¢, and receive points denoted wy ,,...,wy, 
respectively. In all the ,; we have w(w,,v,) = 1 for all k. The weight of the arc (v,, wz) is 
defined to be 1/(& + 1). 

In addition, all views VY; have a message m sent from u to v after the last u, point, and 
a message m’ sent from v to w after m is received at v. The receive point of m’ is the point 
p, promised in the statement of the lemma. The weight the four arcs corresponding to m 


and m’ is 1 in all, ;. 
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source point 


selector message (zero weight) 


zero—weight arcs 


positive weight arcs 


zero—weight paths 


Figure 8-3: A schematic summary of the distance situation for a typical view Y;. The arcs 
that are not drawn have weight 1. The distance from the source point to p is w(v;, wi) = 


1/41). 


Only the following feature differs in the different views Y;: for each i € {1,...,M}, 
we have in view Y; a message, called the selector message, sent from the source processor 
at point sp and received at processor u at point u. In ,;, we have w(sp,u;) = 0 and 
w(u, sp) = 1. 

Finally, we choose the local times of all points in all views to be integers. Thus, the 
bounds mapping values, which are determined by the local times and the arc weights, 
are also all integers, except for the pairs (v,,w,) for k = 1,...,M. This completes the 
description of the views Y;. 

We now observe that the views thus defined have the required properties. Parts (1) and 
(2) are immediate from the construction: p is common to all views, and the local view at 
w before p is identical for all V; (see Figure 8-2 (b)). Part (3) of the lemma follows from 
Lemma 8.1 and the fact that by construction, all values in the local view at the point at 
which m’ is sent are integers. Finally, Part (4) of the lemma is clear from the construction 
(see Figure 8-3). fj 


We can now prove the space lower bound. 


Theorem 8.5 Let A be a general external CSA. If A is an optimal algorithm (as defined 


in Def. 4.1), then its space complexity cannot be bounded by a function of the system size. 


Proof: Suppose A is a general optimal synchronization algorithm for external synchro- 


nization. Then by Theorems 6.3 and 6.4, at any point p that occurs at processor v in an 
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execution, it must be the case that ext_L,, = local_time(p) — d(sp,p), where d and sp are the 
distance function and the source point, respectively, in the corresponding synchronization 
eraph. By Lemma 8.4, for any M > 0 there are M scenarios with a common point p such 
that at p, the local input variables are the same at all scenarios, the other input values 
are all integers, and such that in scenario 7 the optimal output is local_time(p) — 1/(i+ 1). 
Letting %,,...,¥%,, denote the input values of these scenarios, and letting F’ denote the 
optimal value of ext_L, we can there apply Lemma 8.3, and deduce that there are at least 
M distinct output forms associated with p. It follows that the degree of the odd node in 
the program corresponding to p is arbitrarily large, and since the space complexity of a 
branching program is the logarithm of the maximal degree of a node, we conclude that the 


space required by the program cannot be bounded as a function of the network size. fj 


Remark. The crucial property of the model used in the lower-bound argument is the re- 
striction that output is represented by special linear combinations. We argue that this 
restriction is reasonable for two reasons. First, we know that optimal output can be com- 
puted this way: synchronization distances can be expressed as special linear combinations 
of local times and bounds. And secondly, as already mentioned above, if we do not impose 
restrictions on the computational model, there is no hope for a space lower bound, since an 


unbounded amount of state information can be encoded in a single real number. 
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Summary 


In this chapter we looked at the space complexity required to store the state of optimal 
CSAs for external synchronization. We defined a computational model, where output may 
be represented only by linear combination of the input values with integer coefficient. The 
program is represented by a tree, and the space complexity is the logarithm of the maximal 
branching factor in the tree. We then proved that there are executions of very simple 
systems (we used four processors), for which the space complexity of an optimal CSA 
cannot be bounded. This means that any optimal algorithm for external synchronization 
that works for all environments must have unbounded space complexity. The implication 
of this result is that there is no synchronization algorithm which is simultaneously efficient, 


optimal and general. 
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Chapter 9 


Extensions 


The analysis of synchronization graphs, presented in Chapter 5, was developed for the 
model of clock synchronization systems, as defined in Chapter 3. This model, while being 
arguably a reasonable abstraction of real systems, is restrictive. In this chapter we look at a 
few simple variants of the basic model, and show how using our concept of synchronization 
graph, one can analyze these variants quite easily. 

Our discussion is presented in three parts. In Section 9.1 we consider the case of addi- 
tional timing constraints. We show how a few kinds of additional timing constraints can 
be incorporated into synchronization graphs. In Section 9.2 we discuss timing faults, i.e., 
cases where an execution violates the system specification. We define a natural notion of 
detectable faults, and show that synchronization graphs can be used to detect the existence 
of such faults. In Section 9.3 we consider structured send modules, i.e., systems in which 
the message sending pattern has a more regular structure. Using a simple example, we 
explain how knowledge of the structure of the send modules can help in generating timing 


information without explicit communication. 


9.1 Additional Timing Constraints 


The definition of clock synchronization systems in Chapter 3 allows for two sources of timing 
information: the message latency bounds and the clock drift bounds. It is often the case 
that we have some additional sources of timing information. For example, the presence of 
a human operator at a site may suffice to insure that the absolute offset of the local clock 


at that site is never too big. Another example is a broadcast of a message to a subset of 
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the processors, where it is known that the message is delivered at all processors within a 
period of known length (even though the time to deliver any individual message may be 
arbitrary). Having such additional information may improve the synchronization attained 
by CSAs. Below, we describe ways to incorporate a few simple types of such knowledge 
into synchronization graphs. By doing this, the distances in the synchronization graph 
have the additional information built into them, and can therefore be used to get better 


synchronization. 


9.1.1 Absolute Time Constraints 


> or that “an 


Suppose we know somehow that “an event p occurs at real time at least a, 
event p occurs at real time at most 0.” Formally, we may have absolute time constraints, 


defined to be statements of the form 


now(p) € [a,b] , 


where p is a point in the view, and [a, 5] is a (possibly infinite) interval of real numbers. 
Absolute time constraints can be incorporated in the synchronization graph as follows. 
We introduce a new point into the graph, called the origin and denoted by 59, where 
for analysis purposes we assume that local_time(so) = now(so) = 0. (Intuitively, the 
origin can be thought of as representing the initialization event of the execution.) For 
each absolute time constraint now(p) € [a, 6], we introduce two arcs (p, 59) and (59, p) into 


the synchronization graph, with weights 


w(so,p)=—-a, and w(p,s)=5b. 


It is easy to see, using Lemma 5.2 and the attributes of the origin as defined above, that the 
new arcs and weights express the given constraint. Bounds on relative offsets of the points 
in the view can now be obtained as usual, by finding distances between the desired points 
in the extended synchronization graph. In addition, bounds on the absolute offsets can be 
obtained by computing the distances to and from the origin: with the real and local time 
attributes we assigned to the source point, we have that for any point p, 6(p) = 6(p, 50), 
and hence 6(p) € [—d(so, p), d(p, 80)]. 


By adding the origin node and its incident edges, the distances in the synchroniza- 
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tion graph may drop, resulting in tighter bounds on the offset between points, i.e., better 


synchronization. 


9.1.2 Relative Time Constraints 


Suppose that we have information of the type “at least a time units elapse between the 
occurrence of an event p until the occurrence of an event g,” or “at most 6 time units elapse 
between the occurrence of an event p until the occurrence of an event g.” Formally, we may 


have a pairwise time constraint, given as a statement of the form 


now(q) — now(p) € [a,b] . 


Modeling pairwise time constraints is done using the tools we already have: the interpreta- 
tion of such a statement is simply that the bounds mapping B of the pattern in question 
should be extended to include B(q,p) = 6 and B(p,q) = —a. To translate this information 
into the distance measure of synchronization graphs, we augment the graph with arcs (p,q) 
and (q,p), and assign their weights as usual (see Def. 5.4). As before, the introduction of 
additional arcs into the synchronization graph may reduce the distances between points, 
thus resulting in tighter bounds on synchronization. 

Another instance of relative time constraints is where a set of events is known to occur 
within a time interval of known length. (Halpern and Suzuki [12] make this assumption for 
the set of receive events of a broadcast message.) Formally, we have a set Q of events, such 


that for any pair p;,p; € Q we know that 


now(p;) — now(p;) <a, 


and the reduction to pairwise time constraints is obvious. 

Remark. It may be interesting to push further the idea underlying the simple technique 
suggested above for pairwise time constraints. The way we developed our model in Chapter 
3, we had the natural notion of adjacent points (cf. Def. 3.9), and bounds mapping was 
defined only for pairs of adjacent points. This definition was motivated by the assumption 
that the only source for timing information are the specifications of local clocks and network 
links. The idea in the generalization suggested above is that the basic relation is pairwise 


time constraints, rather than adjacency. Put in other words, instead of defining bounds 
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mapping in terms of the classical adjacency relation, we should define the adjacency relation 


in the synchronization graph in terms of the pairwise time constraints. 


9.2 Fault Detection 


Throughout the discussion of synchronization graphs we relied heavily on its “integrity,” 
namely the fact that act_del(p,q) < B(p,q) for all adjacent points p,q. Since this assump- 
tion may not always hold — e.g., if some component of the system fails, or if the specification 
is simply wrong — it is interesting to understand what happens in that case. Fortunately, 
Theorem 5.4 guarantees a strong fault-detection property. Let us first define the a notion 


of detectable fault. 


Definition 9.1 Let V be a view and let B be a bounds mapping for V. V is said to have a 


detectable fault with respect to B if there is no pattern with view V that satisfies B. 
Using Theorem 5.5, we derive the following result. 


Lemma 9.1 Let V be a view of an execution of a clock synchronization system, and let B 
be a bounds mapping for V. Then V has a detectable fault with respect to B if and only if 


the synchronization graph , defined by V and B contains a negative weight cycle. 


Proof: Suppose first that , contains a negative cycle. Then it follows from Theorem 5.6 
that there is no pattern with view V that satisfies B, and hence V has a detectable fault 
w.r.t. B. Conversely, suppose that , does not contain a negative-weight cycle. If, is empty, 
then trivially V does not contain a detectable fault w.r.t. B, and we are done. Otherwise, 
let po be any point in ,. By Theorem 5.7, there exists at least one pattern P with view VY 
such that P satisfies B, and hence V has no detectable faults w.r.t. B. JJ 

We remark that algorithms that use our techniques, probably compute distances over 
the synchronization graph anyway. Since shortest paths algorithm for general edge weights 
usually discover negative weight cycles, we get fault detection “for free.” However, we 
remark that we do not know of a general technique for fault correction using synchronization 


eraphs directly. 
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9.3. Structured Environments 


The basic theory studies the case where send modules are completely unstructured (techni- 
cally, the “send” action is always enabled), and where the link automata may lose messages 
arbitrarily. Somewhat surprisingly, it turns out that one may gain timing knowledge also 
from the absence of a message receive event, in the case of reliable communication.’ 

We now explain how can one add arcs to the synchronization graph for messages which 
are guaranteed to arrive, but haven’t arrived. Again, the extra arcs may result in shorter 
distances and hence better synchronization. 

In the following lemma, we assume that the drift upper bound of one of the clocks is at 
least 1. This can be done without loss of generality since local time readings can be scaled 


to satisfy this assumption. 


Lemma 9.2 Suppose that the send module at processor u is such that a message m is 
always sent at a point q with known local time, suppose that the link automaton Ly, is 
such that m is guaranteed to be always received at processor v within H(m) time units, and 
suppose further that the drift upper bound of the clock at v satisfies 0, > 1. Then for any 


point p at v where m has not yet been received we have 6(p,q) < H(m) — virt_del(p,q). 


Proof: Consider the point p’ in which m is received at v. By assumption, 0, > 1. Since 
p occurs at v before p’, we have local_time(p’) > local_time(p), and hence virt_del(p’,q) > 


virt_del(p,q) and virt_del(p’,p) > 0. Therefore, using Def. 3.11 and Lemmas 5.1 and 5.2, 


we get 
5(p,.q) = (p,p') + 6(p', 9g) 
< (1-1/9): virt_del(p', p) + H(m) — virt_del(p’,q) 
< H(m)-— virt_del(p,q) . 
| 


The consequence of Lemma 9.2 is that if communication links do not lose messages and 


have finite latency upper bounds, one can add points and arcs to the synchronization graph, 
‘The place where the fact that messages may be arbitrarily lost was used in the proof of Theorem 3.2, 
where we proved that any local view at a point is also a complete view of some execution. This theorem 


does not hold in the case where some messages are guaranteed to be delivered: a local view that contains 
only the send point of such a message is not the complete view of any execution. 
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even if these points are not in the local view. Using the notation of Lemma 9.2, although g 
is not a part of the local view at p, the synchronization graph at p might as well include g 
and an arc (q,p) whose weight is w(q,p) = H(m) — virt_del(p, q) (since we have a pairwise 


time constraint between p and q). 
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Summary 


In this chapter we discussed a few simple extensions of the basic model. We showed how to 
incorporate additional assumptions, such as absolute time constraints an relative time con- 
straints into the synchronization graph. Such constraints may be known due to unmodeled 
parts of the system. 

We also proved a strong fault detection capability for synchronization graphs. Despite 
the fact that we do not know how to exploit a synchronization graph directly for error 
correction, we get fault detection essentially for free. 

Finally, we showed that if the send module is structured in a certain simple sense, 
and if communication links are reliable, then some timing information may be derived 
even from absence of messages. We showed how to incorporate such information into the 
synchronization graph. 

These examples demonstrate the robustness of the basic concept of synchronization 
graphs. Many more variants are possible (e.g., finite granularity clocks, and external syn- 


chronization systems with multiple sources). 
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Chapter 10 


Conclusion 


Our hope is that the main contribution of this thesis is improved understanding of the clock 
synchronization problem. We believe that the insight developed in this thesis may lead to 
better synchronization protocols. We have suggested a new viewpoint for the problem, and 
presented new analytical tools and algorithmic techniques to deal with clock synchroniza- 
tion. Our results indicate that there is no “ultimate solution” for clock synchronization, but 
they leave hope that optimal efficient algorithms can be found for particular systems, or that 
better algorithms can be developed for general systems. For example, it seems reasonable 
to assume that our techniques can be implemented over the Internet, thus improving on 
the current version of NTP [26]. In addition, by implementing our methods with bounded 
space, one can get algorithms which are optimal with respect to a part of the execution 
(e.g., an algorithm that guarantees that its output is the best possible output for the last 
day). 

On the theoretical side, we believe that synchronization graphs may prove a useful tool in 
the analysis of timing-based systems. In a sense, synchronization graphs can be viewed as a 
weighted version of Lamport’s graphs [16]: Lamport used his unweighted graphs to describe 
executions of completely asynchronous systems; synchronization graphs are weighted, and 
can be used to describe executions of systems where processors have clocks. 

Let us review the main weaknesses of synchronization graphs. Informally, the usefulness 
of synchronization graphs relies on a few strong assumptions. 

(1) The system specification is such that if an event may occur at either of two points, 


then this event may occur at any time between them. 
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(2) Processors follow the system specification. 


(3) All executions that satisfy the system specifications are possible. 

As we mentioned in this thesis, assumption (1) cannot be compromised by our analysis. 
Without it, clock synchronization problems cannot even be expresses as linear programs. 
Regarding assumption (2), we gave a partial answer for the problem of systems that do 
not adhere to their specification by showing that synchronization graphs can be used for 
fault detection. We hope the error correction can also be aided by synchronization graphs. 
Assumption (3) leaves room for specializing the synchronization graphs according to the 
particular system being considered. We demonstrated such adaptations with a few simple 
examples. 

Since clock synchronization is used throughout the spectrum of distributed systems — 
starting from a single VLSI chip, and ranging up to a global network — it is conceivable 
that the effect of even a slight improvement in the tightness of synchronization may be 
sweeping. For example, tighter synchronization of the transmitting and receiving endpoints 
of communication links can lead to better utilization and hence larger throughput of the 
communication network; better synchronization may imply shorter processing time for large 
databases. We hope that despite its weaknesses, this thesis can be used to improve syn- 
chronization in many cases. This may lead to a slightly more convenient world, and it 
can perhaps be translated into financial profit (for example, Merrill Lynch is using NTP to 
synchronize their worldwide network [11]). 

It may be interesting to note that after our preliminary paper [29] was published, a few 
papers which have considerable overlap with our results have appeared. Specifically, Dolev 
et al. [8] have defined the notion of observable clock synchronization which is closely related 
to our notion of optimal clock synchronization. Their analysis is for the special case where 
the communication is done over a broadcast channel. Moses and Bloom [27] look at the 
problem of clock synchronization from the knowledge theoretic perspective. They study 
the case of drift-free clocks, and their main result can be viewed as a special case of one 
of our characterization theorems. Ajtai et al. [2] present an approach for the analysis of 
distributed algorithms which is closely related to our notion of local competitiveness. 


Let us conclude with some interesting problems that this thesis leaves unsolved. 


Fault Resilience: It would be interesting to develop a technique that uses synchronization 


eraphs in the presence of errors, such that erroneous data can be overcome, more than 
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merely detecting the existence of an error. 


Internal synchronization: We do not know of a good technique for on-line distributed 
internal synchronization other than the naive use of external synchronization algo- 


rithms. Conceivably, synchronization graphs can be used to this end. 
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Appendix A 
Time-Space Diagrams 


In this appendix we present Time-Space Diagrams [17]. This representation method is 
a convenient way to graphically draw and view executions of distributed systems. (See 
Figure A-1 for an example.) The idea is that the 2 coordinate is used to denote location 
in space (which is, in the context of distributed systems, simply a processor name), and 
the y coordinate is used to denote real time. Since the physical location of processors is 
immaterial, processors are represented by vertical lines labeled by their names. In our 
diagrams we follow the convention that time grows downwards. 

Given an execution of a system, its time-space diagram is drawn by the following two 
rules. First, the events of the execution (such as message send and receive) are represented 
by points, and hence the (a, y) coordinates of each event are determined by its location 


and time of occurrence. And secondly, a message is represented by a directed arrow, that 


time 


processor u processor Vv processor W 


Figure A-1: An example of a time-space diagram. 
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connects the point corresponding to its send event to a point corresponding to its receive 
event. We can model in this way many types of communication assumptions, including 
broadcast (for example, in Figure A-1 processor v sends messages simultaneously to u and 
w), message duplication (in Figure A-1 there are two receive events at v that correspond 
to a single send event at uw), message re-ordering (the messages sent by w in Figure A-1 are 
received in reversed order at v), and message loss (the first event at v in Figure A-1 might 


be a send event of a message which is not received). 
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